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What's New in 7.3? 



chapter 1 Introduction 



What's New in 7.3? 

New in COS Version 7.3 are the following features: 

• Wireless Hotspot Support 

This is a new keyed feature that allows users to log in to the wireless 
LAN by user name and password. This feature also supports RADIUS 
server user authentication. See "Wireless Hotspot Support (keyed fea- 
ture)" on page 72. Also see "Install Keys" on page 149. 

• ATM Variable Bit Rate support in Traffic Shaping 
See "Configure -> WAN" on page 78. 

• Improved LAN host discovery 

See "Improved LAN Host Discovery" on page 19. 

• SNMP Set Support 

See "SNMP" on page 102. 

• Yahoo Messenger ALG Support 

See "Yahoo Messenger ALG Support" on page 19. 
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About Cayman Documentation 




NOTE: 



This guide describes the wide variety of features and functionality 
of the Cayman Gateway, when used in Router mode. The Cayman 
Gateway may also be delivered in Bridge mode. In Bridge mode, 
the Gateway acts as a pass-through device and allows the work- 
stations on your LAN to have public addresses directly on the 
Internet. 



Netopia, Inc. provides a suite of technical information for its Cayman-series 
family of intelligent enterprise and consumer Gateways. It consists of: 

• Software User Guide 

• Dedicated Quickstart guides 

• Specific White Papers 

The documents are available in electronic form as Portable Document For- 
mat (PDF) files. They are viewed (and printed) from Adobe Acrobat Reader, 
Exchange, or any other application that supports PDF files. 

They are downloadable from Netopia's website: 
http://www.netopia.com/ 
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Intended Audience 



Intended Audience 

This guide is targeted primarily to residential service subscribers. 

Expert Mode sections may also be of use to the support staffs of broad- 
band service providers and advanced residential service subscribers. 

See "Expert Mode" on page 47. 



Documentation Conventions 



General 



This manual uses the following conventions to present information: 



Convention (Typeface) 

bold italic 
monospaced 
bold italic sans serif 
terminal 
bold terminal 
Italic 



Description 

Menu commands 

Web GUI page links and button names 
Computer display text 
User-entered text 

Italic type indicates the complete titles 
of manuals. 
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Internal Web Interface 

Convention (Graphics) 

Idot-dashed" recta ng I eo" 



solid rounded rectangle 
with an arrow 



Description 

"■Denotes an "excerpt" from a Web page 

■or the visual truncation of a Web page 
j 

Denotes an area of emphasis on a Web 
page 



Command Line Interface 

Syntax conventions for the Cayman Gateway command line interface are as 
follows: 

Convention Description 

straight ([ ]) brackets in cmd Optional command arguments 
line 

curly ({ }) brackets, with values Alternative values for an argument are 

separated with vertical bars (|). presented in curly ({ }) brackets, with 

values separated with vertical bars (|). 

bold terminal type User-entered text 
face 

italic terminal Variables for which you supply your 

type face own values 



Text 

The words "Cayman Gateway" and "Gateway" refer to the Netopia Cayman 
Gateway. 

The expressions "Release 7.3" and "R 7.3" refer to the most recent gener- 
ally available Cayman Operating System. 
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Organization 



Organization 

This guide consists of eight chapters, including a glossary, and an index. It 
is organized as follows: 

• Chapter 1 , "Introduction" — Describes the Cayman document suite, 
the purpose of, the audience for, and structure of this guide. It gives a 
table of conventions and presents a product description summary. 

• Chapter 2, "Basic Mode Setup" — Describes how to get up and run- 
ning with your Cayman Gateway. 

• Chapter 3, "Expert Mode" — Focuses on the "Expert Mode" Web- 
based user interface for advanced users. It is organized in the same way 
as the Web Ul is organized. As you go through each section, functions 
and procedures are discussed in detail. 

• Chapter 4, "Basic Troubleshooting" — Gives some simple sugges- 
tions for troubleshooting problems with your Gateway's initial configura- 
tion. 

• Chapter 5, "Advanced Troubleshooting" — Gives suggestions and 
descriptions of expert tools to use to troubleshoot your Gateway's config- 
uration. 

• Chapter 6, "Command Line Interface" — Describes all the current 
text-based commands for both the SHELL and CONFIG modes. A sum- 
mary table and individual command examples for each mode is provided. 

• Chapter 7, "Glossary" 

• Chapter 8, "Technical Specifications and Safety Information" 

• Index 
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Overview of Major Capabilities 



The Netopia Gateway offers simplified setup and management features as 
well as advanced broadband router capabilities. The following are some of 
the main features of the Netopia Gateway: 

• "Wide Area Network Termination" on page 16 

The Gateway combines an ADSL modem with an Internet router. It translates 
protocols used on the Internet to protocols used by home personal computers 
and eliminates the need for special desktop software (i.e. PPPoE). 

• "Simplified Local Area Network Setup" on page 18 

Built-in DHCP and DNS proxy features minimize or eliminate the need to pro- 
gram any network configuration into your home personal computer. 

• "Management" on page 19 

A Web server built into the Cayman Operating System makes setup and mainte- 
nance easy using standard browsers. Diagnostic tools facilitate troubleshoot- 
ing. 

• "Security" on page 21 

Network Address Translation (NAT), password protection, Stateful Inspection 
firewall and other built-in security features prevent unauthorized remote access 
to your network. Pinholes, default server, and other features permit access to 
computers on your home network that you can specify. 

Wide Area Network Termination 

PPPoE/PPPoA (Point-to-Point Protocol over Ethernet/ ATM). The PPPoE 
specification, incorporating the PPP and Ethernet standards, allows your 
computer(s) to connect to your Service Provider's network through your 
Ethernet WAN connection. The Cayman-series Gateway supports PPPoE, 
eliminating the need to install PPPoE client software on any LAN computers. 

Service Providers may require the use of PPP authentication protocols such 
as Challenge Handshake Authentication Protocol (CHAP) or Password 



16 



Overview of Major Capabilities 



Authentication Protocol (PAP). CHAP and PAP use a username and password 
pair to authenticate users with a PPP server. 

A CHAP authentication process works as follows: 

1. The password is used to scramble a challenge string. 

2. The password is a shared secret, known by both peers. 

3. The unit sends the scrambled challenge back to the peer. 

PAP, a less robust method of authentication, sends a username and pass- 
word to a PPP server to be authenticated. PAP's username and password 
pair are not encrypted, and are therefore sent "unscrambled". 

Instant-On PPP. You can configure your Gateway for one of two types of 
Internet connections: 

• Always On 

• Instant On 

These selections provide either an uninterrupted Internet connection or an 
as-needed connection. 

While an Always On connection is convenient, it does leave your network 
permanently connected to the Internet, and therefore potentially vulnerable 
to attacks. 

Cayman's Instant On technology furnishes almost all the benefits of an 
Always-On connection while providing two additional security benefits: 

• Your network cannot be attacked when it is not connected. 

• Your network may change address with each connection making it more 
difficult to attack. 

When you configure Instant On access, you can also configure an idle time- 
out value. Your Gateway monitors traffic over the Internet link and when 
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there has been no traffic for the configured number of seconds, it discon- 
nects the link. 

When new traffic that is destined for the Internet arrives at the Gateway, the 
Gateway will instantly re-establish the link. 

Your service provider may be using a system that assigns the Internet 
address of your Gateway out of a pool of many possible Internet addresses. 
The address assigned varies with each connection attempt, which makes 
your network a moving target for any attacker. 

Simplified Local Area Network Setup 

DHCP (Dynamic Host Configuration Protocol) Server. DHCP Server 
functionality enables the Gateway to assign to your LAN computer(s) a "pri- 
vate" IP address and other parameters that allow network communication. 
The default DHCP Server configuration of the Gateway supports up to 253 
LAN IP addresses. 

This feature simplifies network administration because the Gateway main- 
tains a list of IP address assignments. Additional computers can be added 
to your LAN without the hassle of configuring an IP address. 

DNS Proxy. Domain Name System (DNS) provides end users with the abil- 
ity to look for devices or web sites by typing their names, rather than IP 
addresses. For web surfers, this technology allows you to enter the URL 
(Universal Resource Locator) as text to surf to a desired website. 

The Cayman DNS Proxy feature allows the LAN-side IP address of the Gate- 
way to be used for proxying DNS requests from hosts on the LAN to the 
DNS Servers configured in the gateway. This is accomplished by having the 
Gateway's LAN address handed out as the "DNS Server" to the DHCP cli- 
ents on the LAN. 



18 



Overview of Major Capabilities 



NOTE: 

The Cayman DNS Proxy only proxies UDP DNS queries, not TCP 
DNS queries. 



Improved LAN Host Discovery. The new OS software offers improved 
LAN host discovery. This is used primarily for software hosting, making it 
unnecessary for you to type in an IP address. (See "Software Hosting" on 
page 112.) The improved functionality periodically polls the LAN with ARP 
requests, approximately every five minutes, seeking to determine the pres- 
ence of quiet hosts that are statically addressed. 

Yahoo Messenger ALG Support. The new OS software supports an appli- 
cation layer gateway (ALG) for the Yahoo Messenger client. This support 
provides the ability for Yahoo Messenger clients behind network address 
translation (NAT) to send files to remote Yahoo Messenger peers. No user 
configuration is required. 

• This feature supports file transfers only; not voice or web-cam. 

• This feature requires that the Yahoo client use the standard outbound 
Yahoo port of 5050. 

Management 

Embedded Web Server. There is no specialized software to install on your 
PC to configure, manage, or maintain your Cayman Gateway. Web pages 
embedded in the operating system provide access to the following Gateway 
operations: 

• Setup 

• System and security logs 

• Diagnostics functions 
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Once you have removed your Cayman Gateway from its packing container 
and powered the unit up, use any LAN attached PC or workstation running a 
common web browser application to configure and monitor the Gateway. 

Diagnostics. In addition to the Gateway's visual LED indicator lights, you 
can run an extensive set of diagnostic tools from your Web browser. 

Two of the facilities are: 

• Automated "Multi-Layer" Test 

The Run Diagnostics link initiates a sequence of tests. They examine the 
entire functionality of the Gateway, from the physical connections to the 
data traffic. 

• Network Test Tools 

Three test tools to determine network reachability are available: 

Ping - tests the "reachability" of a particular network destination by 
sending an ICMP echo request and waiting for a reply. 

NSLookup - converts a domain name to its IP address and vice versa. 

TraceRoute - displays the path to a destination by showing the number 
of hops and the router addresses of these hops. 

The system log also provides diagnostic information. 




NOTE: 



Your Service Provider may request information that you acquire 
from these various diagnostic tools. Individual tests may be per- 
formed at the command line. (See "Command Line Interface" on 
page 177.). 
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Overview of Major Capabilities 



Security 

Remote Access Control. You can determine whether or not an administra- 
tor or other authorized person has access to configuring your Gateway. This 
access can be turned on or off in the Web interface. 

Password Protection. Access to your Cayman device can be controlled 
through two access control accounts, Admin or User. 

• The Admin, or administrative user, performs all configuration, manage- 
ment or maintenance operations on the Gateway. 

• The User account provides monitor capability only. 

A user may NOT change the configuration, perform upgrades or invoke 
maintenance functions. 

Network Address Translation (NAT). The Cayman Gateway Network 
Address Translation (NAT) security feature lets you conceal the topology of a 
hard-wired Ethernet or wireless network connected to its LAN interface from 
routers on networks connected to its WAN interface. In other words, the 
end computer stations on your LAN are invisible from the Internet. 

Only a single WAN IP address is required to provide this security support 
for your entire LAN. 

LAN sites that communicate through an Internet Service Provider typically 
enable NAT, since they usually purchase only one IP address from the ISP. 

• When NAT is ON, the Cayman Gateway "proxies" for the end computer 
stations on your network by pretending to be the originating host for net- 
work communications from non-originating networks. The WAN interface 
address is the only IP address exposed. 

The Cayman Gateway tracks which local hosts are communicating with 
which remote hosts. It routes packets received from remote networks to 
the correct computer on the LAN (Ethernet) interface. 
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• When NAT is OFF, a Cayman Gateway acts as a traditional TCP/IP router, 
all LAN computers/devices are exposed to the Internet. 



A diagram of a typical NAT-enabled LAN follows: 



Internet 




Cayman Gateway 

WAN 
Ethernet 
Interface 




LAN 

Ethernet 
Interface 





NAT 










NAT-protected. 
LAN stations 



Embedded Admin Services: 

HTTP-Web Server and Telnet Server Port 




\ 



NOTE: 

1. The default setting for NAT is ON. 

2. Cayman uses Port Address Translation (PAT) to implement the 
NAT facility. 

3. NAT Pinhole traffic (discussed below) is always initiated from 
the WAN side. 
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Overview of Major Capabilities 



Cayman Advanced Features for NAT. Using the NAT facility provides 
effective LAN security. However, there are user applications that require 
methods to selectively by-pass this security function for certain types of 
Internet traffic. 

Cayman Gateways provide special pinhole configuration rules that enable 
users to establish NAT-protected LAN layouts that still provide flexible by- 
pass capabilities. 

Some of these rules require coordination with the unit's embedded admin- 
istration services: the internal Web (HTTP) Port (TCP 80) and the internal 
Telnet Server Port (TCP 23). 

Internal Servers. The internal servers are the embedded Web and Telnet 
servers of the Gateway. You would change the internal server ports for Web 
and Telnet of the Gateway if you wanted to have these services on the LAN 
using pinholes or the Default server. Pinhole configuration rules provide an 
internal port forwarding facility that enables you to eliminate conflicts with 
embedded administrative ports 80 and 23. 

Pinholes. This feature allows you to: 

• Transparently route selected types of network traffic using the port for- 
warding facility. 

FTP requests or HTTP (Web) connections are directed to a specific host 
on your LAN. 

• Setup multiple pinhole paths. 
Up to 32 paths are supported 

• Identify the type(s) of traffic you want to redirect by port number. 

Common TCP/IP protocols and ports are: 



FTP (TCP 21) 

SMTP (TCP 25) 

SNMP (TCP 161, UDP 161) 



telnet (TCP 23) 
HTTP (TCP 80) 
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See page 85 for How To instructions. 



Default Server. This feature allows you to: 

• Direct your Gateway to forward all externally initiated IP traffic (TCP and 
UDP protocols only) to a default host on the LAN. 

• Enable it for certain situations: 

Where you cannot anticipate what port number or packet protocol an in- 
bound application might use. 

For example, some network games select arbitrary port numbers when a 
connection is opened. 

When you want all unsolicited traffic to go to a specific LAN host. 

Combination NAT Bypass Configuration. Specific pinholes and Default 
Server settings, each directed to different LAN devices, can be used 
together. 



WARNING: 

Creating a pinhole or enabling a Default Server allows inbound 
access to the specified LAN station. Contact your Network Admin- 
istrator for LAN security questions. 



IP-Passthrough. Cayman OS now offers an IP passthrough feature. The IP 
passthrough feature allows a single PC on the LAN to have the Gateway's 
public address assigned to it. It also provides PAT (NAPT) via the same pub- 
lic IP address for all other hosts on the private LAN subnet. 

VPN IPSec Pass Through. This Cayman service supports your indepen- 
dent VPN client software in a transparent manner. Cayman has imple- 
mented an Application Layer Gateway (ALG) to support multiple PCs running 
IP Security protocols. 
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Overview of Major Capabilities 



This feature has three elements: 

1. On power up or reset, the address mapping function (NAT) of the Gate- 
way's WAN configuration is turned on by default. 

2. When you use your third-party VPN application, the Gateway recognizes 
the traffic from your client and your unit. It allows the packets to pass 
through the NAT "protection layer" via the encrypted IPSec tunnel. 

3. The encrypted IPSec tunnel is established "through" the Gateway. 

A typical VPN IPSec Tunnel pass through is diagrammed below: 




Web Secure 
Site Traffic 




Typically, no special configuration is necessary to use the IPSec 
pass through feature. 

In the diagram, VPN PC clients are shown behind the Cayman 
Gateway and the secure server is at Corporate Headquarters 
across the WAN. You cannot have your secure server behind the 
Cayman Gateway. 
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When multiple PCs are starting IPSec sessions, they must be 
started one at a time to allow the associations to be created and 
mapped. 



VPN IPSec Tunnel Termination. This Cayman service supports termina- 
tion of VPN IPsec tunnels at the Gateway. This permits tunnelling from the 
Gateway without the use of third-party VPN client software on your client 
PCs. 

Stateful Inspection Firewall. Stateful inspection is a security feature that 
prevents unsolicited inbound access when NAT is disabled. You can config- 
ure UDP and TCP "no-activity" periods that will also apply to NAT time-outs if 
stateful inspection is enabled on the interface. 

Technical details are discussed in "Expert Mode" on page 47. 
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A Word About Example Screens 



A Word About Example Screens 

This manual contains many example screen illustrations. Since Netopia 
Cayman Series Gateways offer a wide variety of features and functionality, 
the example screens shown may not appear exactly the same for your par- 
ticular Gateway or setup as they appear in this manual. The example 
screens are for illustrative and explanatory purposes, and should not be 
construed to represent your own unique environment. 
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chapter 2 Basic Mode Setup 



Most users will find that the basic Quickstart configuration is all that they 
ever need to use. This section may be all that you ever need to configure 
and use your Cayman Gateway. The following instructions cover installation 
in Router Mode. 

This section covers: 

• "Important Safety Instructions" on page 30 

• "Set up the Cayman Gateway" on page 31 

• "Configure the Cayman Gateway" on page 35 

• "Cayman Gateway Status Indicator Lights" on page 38 

• "Home Page - Basic Mode" on page 39 
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Important Safety Instructions 

POWER SUPPLY INSTALLATION 

Connect the power supply cord to the power jack on the Cayman Gateway. 
Plug the power supply into an appropriate electrical outlet. 




Depending on the power supply provided with the product, either 
the direct plug-in power supply blades, power supply cord plug or 
the appliance coupler serves as the mains power disconnect. It 
is important that the direct plug-in power supply, socket-outlet or 
appliance coupler be located so it is readily accessible. 
CAUTION (North America Only): For use only with a CSA Certi- 
fied or UL Listed Limited Power Source or Class 2 power supply, 
rated 12Vdc, 1.5A. 

(Sweden) Apparaten skall anslutas till jordat uttag nar den 
ansluts till ett natverk 

(Norway) Apparatet ma kun tilkoples jordet stikkontakt. 
USB-powered models: For Use with Listed I.T.E. Only 



TELECOMMUNICATION INSTALLATION 

When using your telephone equipment, basic safety precautions should 
always be followed to reduce the risk of fire, electric shock and injury to per- 
sons, including the following: 

• Do not use this product near water, for example, near a bathtub, wash 
bowl, kitchen sink or laundry tub, in a wet basement or near a swimming 
pool. 

• Avoid using a telephone (other than a cordless type) during an electrical 
storm. There may be a remote risk of electrical shock from lightning. 

• Do not use the telephone to report a gas leak in the vicinity of the leak. 
SAVE THESE INSTRUCTIONS 
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Set up the Cayman Gateway 



Set up the Cayman Gateway 

Refer to your Quickstart Guide for instructions on how to connect your Cay- 
man gateway to your power source, PC or local area network, and your Inter- 
net access point, whether it is a dedicated DSL outlet or a DSL or cable 
modem. Different Cayman Gateway models are supplied for any of these 
connections. Be sure to enable Dynamic Addressing on your PC. Perform 
the following: 

Microsoft Windows: 

Step 1. Navigate to the TCP/IP Properties Control Panel. 

a. Some Windows Start menu -> Settings -> Control Panel -> Network (or Network 
versions follow a and Dial-up Connections -> Local Area Connection -> Proper- 
path like this: ties) -> TCP/IP [your_network_card] or Internet Protocol [TCP/ 
IP] -> Properties 
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b. Some Windows 
versions follow a 
path like this: 



Start menu -> Control Panel -> Network and Internet Connec- 
tions -> Network Connections -> Local Area Connection -> 
Properties -> Internet Protocol [TCP/IP] -> Properties 



lnl*r bb1 Prtteesl (TOW) Praparttn 



9m (*,**,• Ottwwif, iku nt*d l» a:k ,<./ nSwori: KhnlTHM tw 
Afipnfflw** IK l 



0 Otfwi C>-*fi i«vw uttti i aJaMtictfc 
Q (Jig 8k tefcwng ONO k»*i add*! wi 



J 



L on 1 1 z*** 



Then go to Step 2. 
Step 2. Select Obtain an IP address automatically. 
Step 3. Select Obtain DNS server address automatically, if available. 
Step 4. Remove any previously configured Gateways, if available. 
Step 5. OK the settings. Restart if prompted. 
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Set up the Cayman Gateway 



Macintosh MacOS 8 or higher or Mac OS X: 

Step 1. Access the TCP/IP or Network control panel. 



a. MacOS follows 
a path like this: 



Apple Menu -> Control Panels -> TCP/IP Control Panel 
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b. Mac OS X fol- 
lows a path like 
this: 



Apple Menu -> System Preferences -> Network 
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Configure tiling DHCP 



. | 



lf>A*Sr«¥i: 
Suhnrr Mi1.k: 
Rower: 
DHCP Client ID; 



SEirth Dtunalni luptrarjj] 



■Opi gpg . 



iiinp'c ipplr.uir 



V CltUmtlKK'wmvtnirurihcrt.lvngt). 



Then go to Step 2. 
Step 2. Select Su/fcrn Ethernet 
Step 3. Select Configure Using DHCP 
Step 4. Close and Save, if prompted. 
Proceed to "Configure the Cayman Gateway" on page 35. 
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Configure the Cayman Gateway 



Configure the Cayman Gateway 

1. Run your Web browser application, such as Netscape Navigator or 
Microsoft Internet Explorer, from the computer connected to the Cayman 
Gateway. 

Enter http://192.168.L254 in the Location text box. 
The Admin Password page appears. 

r — — — — — — — — — — — — — — — — — — — — — — — — i 

Welcome to your Cayman -3000 



Before configuration, your Gateway requires a password to protect it from 
unauthorized access. This password is unique to this Gateway. It is case 
sensitive, and must be 1 to S characters long. Remember this password or 
keep it in a safe place. 

After you submit your new password, you must logon before continuing. 
When you connect to your Gateway as an Administrator, you enter "Admin" 
as the UserName and the password you just created in the Logon dialog. 



Admin Password 


New Password 




1 


Confirm Password 








( Submit ] 



L________________________J 

Access to your Cayman device can be controlled through two access con- 
trol accounts, Admin or User. 

• The Admin, or administrative user, performs all configuration, manage- 
ment or maintenance operations on the Gateway. 

• The User account provides monitor capability only. 

A user may NOT change the configuration, perform upgrades or invoke 
maintenance functions. 

For the security of your connection, an Admin password must be set on 
the Cayman unit. 
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The browser then displays the Welcome page. 
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The browser then displays the Quickstart web page. 



ISP User-name |~ 
ISP Password |~ 



Connect to the Internet 



g> 2002 Netopia, Inc. 

Enter the username and password supplied by your Internet Service Pro- 
vider. Click the Connect to the Internet button. 

Once you enter your username and password here, you will no longer 
need to enter them whenever you access the Internet. The Cayman Gate- 
way stores this information and automatically connects you to the Inter- 
net. 



Configure the Cayman Gateway 



The Gateway displays a message while it configures itself. 



nwitM. 



3. When the connection succeeds, your browser will display a success 
message. 
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Once a connection is established, your browser is redirected to your ser- 
vice provider's home page or a registration page on the Internet. 

4. Congratulations! Your installation is complete. You can now surf to your 
favorite Web sites by typing an URL in your browser's location box or by 
selecting one of your favorite Internet bookmarks. 
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Cayman Gateway Status Indicator Lights 

Colored LEDs on your Cayman Gateway indicate the status of various port 
activity. Different Gateway models have different ports for your connections 
and different indicator LEDs. The Quickstart Guide accompanying your Cay- 
man Gateway describes the behavior of the various indicator LEDs. 

Example status indicator lights 



Status Indicator Lights (LEDs) 




Home Page - Basic Mode 



Home Page - Basic Mode 

After you have performed the basic Quickstart configuration, any time you 
log in to your Cayman Gateway you will access the Cayman Gateway Home 
Page. 

You access the Home Page by typing http://192. 168. 1.254 in your Web 
browser's location box. 



The Basic Mode Home Page appears. 









Help 




Cayman 3341 Home Page 


Serial Number 


10095 016 

Release 


7.3.0 


Warranty Date 


04/05/2003 




Status of DSL 


I'-'P ^^^^M 








Local WAN IP Address 


143.137.199.3 Primary DNS 


143.137.50.10 


Remote Gateway 
Address 


133.15.125.12 secondary DNS 


143.137.137.9 


ISP UserName 


dsingh 




Ethernet Status 


Up USB Status 


Down 



© 2002 Netopia, Inc. 
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The Home Page 

Item 

Serial Number 

Software 
Release 

Warranty Date 

Status of DSL 



Status of 
Connection 



Local WAN IP 
Address 

Remote 
Gateway 
Address 

Primary DNS 
Secondary 
DNS 

ISP Username 

Ethernet 
Status 

USB Status 



displays the following information in the center section: 

Description 

This is the unique serial number of your Gateway. 

This is the version number of the current embedded software in 
your Gateway. 

This is the date that your Gateway was installed and enabled. 

DSL connection (Internet) is either Up or Down 

'Waiting for DSL is displayed while the Gateway is training. This 
should change to 'Up' within two minutes. 
'Up' is displayed when the ADSL line is synched and the PPPoE 
session is established. 

'Down' indicates inability to establish a connection; possible line 
failure. 

This is the negotiated address of the Gateway's WAN interface. 
This address is usually dynamically assigned. 

This is the negotiated address of the remote router to which this 
Gateway is connected. 



These are the negotiated DNS addresses. 



This is your PPPoE username as assigned by your service pro- 
vider. 

(if so equipped) Local Area Network (Ethernet) is either 
Up or Down 

If your Gateway is so equipped, Local Area Network (USB) 
is either Up or Down 



The links in the left-hand column on this page allow you to manage or con- 
figure several features of your Gateway. Each link is described in its own 
section. 
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Home Page - Basic Mode 



Link: Manage My Account 

You can change your ISP account information for the Cayman Gateway. You 
can also manage other aspects of your account on your service provider's 
account management Web site. 

Click on the Manage My Account link. The Manage My Account page 
appears. 



My Account Update 



If you want to change your account information, please enter the new 
information here. Click "Submit" to update your account username 
and/or password and reconnect to the Internet. 



ISP Account Information 



Username 
New Password 
Confirm Password 



j 
□ 



Submit 



Enter your username, and then your new password. Confirm your new pass- 
word. For security, your actual passwords are not displayed on the screen 
as you type. You must enter the new password twice to be sure you have 
typed it correctly. 

Click the Submit button. 



Click the Continue button. You will be taken to your service provider's Web 
site account management page. 
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Link: Status Details 



If you need to diagnose any problems with your Cayman Gateway or its con- 
nection to the Internet, you can run a sophisticated diagnostic tool. It 
checks several aspects of your physical and electronic connection and 
reports its results on-screen. This can be useful for troubleshooting, or 
when speaking with a technical support technician. 

Click on the Status Details link. The Diagnostics page appears. 



Diagnostics 



This button will execute a predefined series of internal checks and loopback tests. 
This may take a few minutes to complete. 



Run Diagnostics 



© 2002 Netopia, inc. 



Click on the Run Diagnostics button to run your diagnostic tests. For a 
detailed description of these tests, see "Diagnostics" on page 172. 
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Home Page - Basic Mode 



Link: Enable Remote Management 

This link allows you to authorize a remotely-located person, such as a sup- 
port technician, to directly access your Cayman Gateway. This is useful for 
fixing configuration problems when you need expert help. You can limit the 
amount of time such a person will have access to your Gateway. This will 
prevent unauthorized individuals from gaining access after the time limit 
has expired. 



Click the Enable Rmt Mgmt link. The Enable Remote Management page 
appears. 



Enable Remote Management 



Please enter a password for administrator access to this device, as well 
as a timeout value for the management session. You may leave the 
password entries blank to use the current administrator password. 
Click "OK" to enable administrator access, or "Cancel" to return to the 
previous screen. 



Temporary Admin Password 



Did Password 
New Password 
Confirm Password 



Password Timeout [ 20 minutes ? ) 

r 



0< 



] 



Cancel ] 



Since you've already has entered an Admin password, you can use that 
Admin password or enter a new password. If you enter a new password, it 
becomes the temporary Admin password. After the time-out period has 
expired, the Admin password reverts to the original Admin password you 
entered. 
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Enter a temporary password for the person you want to authorize, and con- 
firm it by typing it again. You can select a time-out period for this password, 
from 5 to 30 minutes, from the pull-down menu. Be sure to tell the autho- 
rized person what the password is, and for how long the time-out is set. 
Click the Submit button. 



Link: Expert Mode 

Most users will find that the basic Quickstart configuration is all that they 
ever need to use. Some users, however, may want to do more advanced 
configuration. The Cayman Gateway has many advanced features that can 
be accessed and configured through the Expert Mode pages. 

Click on the Expert Mode link to display the Expert Mode Confirmation 
page. 



Expert Mode Confirmation 



You are now entering Expert Mode which is for advanced 
configuration, management and troubleshooting. 

If you change arty parameters, the unit may not operate 

properly. 

Click "OK" to continue or "Cancel" to return to the 
previous screen. 



□ K ] [ Cancel ] 



You should carefully consider any configuration changes you want to make, 
and be sure that your service provider supports them. 

Once you click the OK button you will be taken to the Expert Mode Home 
Page. 
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Home Page - Basic Mode 



The Expert Mode Home Page is the main access point for configuring and 
managing the advanced features of your Gateway. See "Expert Mode" on 
page 47 for information. 



Link: Update Firmware 

(This link is not available on the 3342/3352 models, since firmware 
updates must be upgraded via the USB host driver.) 

Periodically, the embedded firmware in your Gateway may be updated to 
improve the operation or add new features. Your gateway includes its own 
onboard installation capability. Your service provider may inform you when 
new firmware is available, or you can check for yourself. 

Click the Update Firmware link. The Firmware Update Confirmation page 
appears. 

r~ — — — — — — — — — — — — — — — — — — — — — i 



Firmware Update Confirmation 



I Firmware is what makes your Cayman-3000 run and | 
■ occasionally it needs to be updated. ■ 

Click. "Continue" to automatically check to see if newer 
firmware exists, download it, and install the new 
I firmware. If newer firmware is found, you will have the I 
I option to install or cancel. | 

Click "Cancel" to go bach to the previous screen. 

I | Continue j [ Cancel ) | 
i. j 

If you click the Continue button, the Gateway will check a remote Firmware 
Server for the latest firmware revision. If a newer version is found, your firm- 
ware will be automatically updated once you confirm the installation. 
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Link: Factory Reset 

In some cases, you may need to clear all the configuration settings and 
start over again to program the Cayman Gateway. You can perform a factory 
reset to do this. 

Click on Factory Reset to reset the Gateway back to its original factory 
default settings. 



Factory Reset Confirmation 



Warning: You are about to reset the configuration to 
factory defaults, this means the configuration of the 
Cayman-3000 will be lost and will have to be re-entered. 

[ OK ] [ Cancel ] 



NOTE: 

Exercise caution before performing a Factory Reset. This will 
erase any configuration changes that you may have made and 
allow you to reprogram your Gateway. 
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chapter 3 Expert Mode 



Using the Expert Mode Web-based user interface for the Netopia Cayman- 
series Gateway you can configure, troubleshoot, and monitor the status of 
your Gateway. 



47 



Access the Expert Web Interface 



Open the Web Connection 



Once your Gateway is powered up, you can use any recent version of the 
best-known web browsers such as Netscape Navigator or Microsoft Internet 
Explorer from any LAN-attached PC or workstation. The procedure is: 

1. Enter the name or IP address of your Cayman Gateway in the Web 
browser's window and press Return. 

For example, you would enter http://192. 168. 1.254 . 

2. If an administrator or user password has been assigned to the Cayman 
Gateway, enter Admin or User as the username and the appropriate pass- 
word and click OK . 

The Basic Mode Home Page opens. 
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3. Click on the Expert Mode link in the left-hand column of links. 
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Access the Expert Web Interface 



You are challenged to confirm your choice. 



Expert Mode Confirmation 



You are now entering Expert Mode which is for advanced 
configuration, management and troubleshooting. 

If you change any parameters, the unit may not operate 

properly. 

Click "OK" to continue or "Cancel" to return to the 
previous screen. 



OK 



Cancel 



L 

Click OK. 



The Home Page opens in Expert Mode. 
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Home Page - Expert Mode 



The Home Page is the summary page for your Cayman Gateway. The toolbar 
at the top provides links to controlling, configuring, and monitoring pages. 
Critical configuration and operational status is displayed in the center sec- 
tion. 
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Access the Expert Web Interface 



Home Page - Information 



The Home page's center section contains a summary of the Gateway's 
configuration settings and operational status. 





Summary Information 


Field 


Status and/or Description 


General Information 


Hardware 
Serial Number 
Software Version 
Product ID 


Model number and summary specification 

Unique serial number, located on label attached to bottom of unit 

Release and build number of running Cayman Operating System. 

Refers to internal circuit board series; useful in determining which software 

upgrade applies to your hardware type. 


WAN 


Status 

Data Rate (Kbps) 
Local Address 
Peer Address 

Connection Type 
NAT 

WAN Users 


Wide Area Network may be Waiting for DSL (or other waiting status), Up or 
Down 

Once connected, displays DSL speed rate, Downstream and Upstream 
IP address assigned to the WAN port. 

The IP address of the gateway to which the connection defaults. If doing 
DHCP, this info will be acquired. If doing PPP, this info will be negotiated. 
May be either Instant On or Always On. 

On or Off. ON if using Network Address Translation to share the IP address 
across many LAN users. 

Displays the number of users allotted and the total number available for use. 


LAN 


IP Address 
Netmask 

DHCP Server 

DHCP Leases 

DNS 


Internal IP address of the Cayman Gateway. 

Defines the IP subnet for the LAN 

Default is 255.255.255.0 for a Class C device 

On or Off. ON if using DHCP to get IP addresses for your LAN client 

machines. 

A "lease" is held by each LAN client that has obtained an IP address 
through DHCP. 

The default IP address of the current DNS server. 
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Toolbar 



The toolbar is the dark blue bar at the top of the page containing the major 
navigation buttons. These buttons are available from almost every page, 
allowing you to move freely about the site. 



Home Configure 


Troubleshoot 


Security 


Install Restart Help 


Quickstart 


System Status 


Passwords 


Install Key 


LAN 


Network Tools 


Firewall 


Install Software 


WAN 


Diagnostics 


IPSec 




Advanced 




Stateful 





Inspection 

Security 

Log 
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Navigating the Web Interface 



Navigating the Web Interface 



Link: Breadcrumb Trail 

The breadcrumb trail is built in the light brown area beneath the toolbar. As 
you navigate down a path within the site, the trail is built from left to right. 
To return anywhere along the path from which you came, click on one of the 
links. 



Restart 



Button: Restart 

The Restart button on the toolbar allows you to restart the Gateway at any 
time. You will be prompted to confirm the restart before any action is taken. 
The Restart Confirmation message explains the consequences of and rea- 
sons for restarting the Gateway. 



Restart Gateway 



Restarting the Gateway is needed to enable; 

• Changes to your Gateway database 
con Figuration 

t New feature keys 

• Operating System Software Upgrades 
When you restart: 

• All users will be disconnected 

• Vou will be returned to the Home page 

• The Gateway will not respond to your web 
requests. This Inactivity may last for 
approximately 2 minutes. 



Restart the Gateway 
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Restart 



Link: Alert Symbol 

The Alert symbol appears in the upper right corner if you make a database 
change; one in which a change is made to the Gateway's configuration. The 
Alert serves as a reminder that you must Save the changes and Restart 
the Gateway before the change will take effect. You can make many 
changes on various pages, and even leave the browser for up to 5 minutes, 
but if the Gateway is restarted before the changes are applied, they will be 
lost. When you click on the Alert symbol, the Save Changes page appears. 
Here you can select various options to save or discard these changes. 











y j Troub leshoot j Security 


' Install 




Restart Help ] 


ynfiaure Save Changes 









If more than one Alert is triggered, you will need to take action to clear the 
first Alert before you can see the second Alert. 



Home Configure Save Changes 



Changes have been made to the Gateway database. You must save the 
changes and restart the Gateway in order for the changes to take effect. 



Save Database 


Save 


Apply changes made to the database 


Save and Restart Apply chanties and restart Gateway 


Check Database 


Review 


Review the contents of the database 


Validate 


Validate edited database 


Revert Database 


Revert 


Restore to settings before edits 



Config Mode vl.2 

Validation panned! 



© 2003 Netopia, Inc. 
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Help 



Button: Help 

Context-sensitive Help is provided in CaymanOS. The page shown here is 
displayed when you are on the Home page or other transitional pages. To 
see a context help page example, go to Security -> Passwords , then click 
Help . 



Cayman Gateway Help 



Your Gateway supports Context Sensitive Help. Click on 
"Help" from within your page of interest and help for 
that page will be presented. 



Documentation 



The full product documentation is provided in electronic 
format. Documentation is also available online at 
www.netopia.com. 



Close Window 
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Configure 



Configure 



Button: Configure 

The Configuration options are presented in the order of likelihood you will 
need to use them. Quickstart is typically accessed during the hardware 
installation and initial configuration phase. Often, these settings should 
be changed only in accordance with information from your Service 
Provider. LAN and WAN settings are available to fine-tune your system. 
Advanced provides some special capabilities typically used for gaming or 
small office environments, or where LAN-side servers are involved. 



This button will not be available if you log on as User. 



Quickstart 

How to Use the Quickstart Page. Quickstart is normally used immedi- 
ately after the new hardware is installed. When you are first configuring your 
Gateway, Quickstart appears first. 

(Once you have configured your Gateway, logging on displays the Home 
page. Thereafter, if you need to use Quickstart, choose it from the Expert 
Mode Configure menu.) 

Link: Configure -> Quickstart 

Setup Your Gateway using a PPP Connection. 

This example screen is the for a PPP Quickstart configuration. Your gate- 
way authenticates with the Service Provider equipment using the ISP User- 
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name and Password. These values are given to you by your Service 
Provider. 











ISP - Uiernamc ( 
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1. Enter your ISP Username and ISP Password. 

2. Click Connect to the Internet. 



A brief message is displayed while the Gateway attempts to establish a con- 
nection. 
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3. When the connection succeeds, your browser will display your Service 
Provider's home page. 



If you encounter any problems connecting, refer to the chapters "Basic 
Troubleshooting" on page 153 or "Advanced Troubleshooting" on 
page 163. 
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Configure 



LAN 



Link: Configure -> LAN 





LAN IP Interface 
(Ethernet 100 BT) 


Enable Interface 
IP Address 
IP Netmask 
Restrictions 

Sl 


F 


1 92.1 6B.1 .254 


255,255,255.0 


None H 
bnnit | 



Other LAN Options 


Advanced 


Configure advanced IP settings 


DHCP Server Confioure DHCP server options 


Wireless 


Configure Wireless Options 



* Enable Interface: Enables all LAN-connected computers to share 
resources and to connect to the WAN. The Interface should always be 
enabled unless you are instructed to disable it by your Service Provider dur- 
ing troubleshooting. 

* IP Address: The LAN IP Address of the Gateway. The IP Address you 
assign to your LAN interface must not be used by another device on your 
LAN network. 

* IP Netmask: Specifies the subnet mask for the TCP/IP network con- 
nected to the virtual circuit. The subnet mask specifies which bits of the 32- 
bit binary IP address represent network information. The default subnet 
mask for most networks is 255.255.255.0 (Class C subnet mask.) 
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* Restrictions: Specifies whether an administrator can open a Web Admin- 
istrator or Telnet connection to the Gateway over the LAN interface in order 
to monitor and configure the Gateway. On the LAN Interface, you can enable 
or disable administrator access. By default, administrative restrictions are 
turned off, meaning an administrator can open a Web Administrator or Tel- 
net connection through the LAN Interface. 

• Advanced: Clicking on the Advanced link displays the Advanced LAN IP 
Interface page. 

r ~ — — — — — — — — — — — — — i 



Advanced LAN IP Interface 
(Ethernet 100 BT) 



I IGMP Forwarding □ I 
. RIP Send Mode HlP-l ■ , 

I RIP Receive Mode MP-l ■ I 

■ f Submit 1 ) ■ 

i ^- _ _ -* i 

L J 

• IGMP Forwarding: The default setting is Disabled. If you check this 
option, it will enable Internet Group Management Protocol (IGMP) multi- 
cast forwarding. IGMP allows a router to determine which host groups 
have members on a given network segment. 

• RIP Send Mode: Specifies whether the gateway should use Routing 
Information Protocol (RIP) broadcasts to advertise its routing tables to 
other routers on your network. You may choose from the following proto- 
cols: 

• RIP-1: Routing Information Protocol version 1 

• RIP-2: RIP Version 2 is an extension of the original Routing Information 
Protocol (RIP-1) that expands the amount of useful information in the RIP 
packets. While RIP-1 and RIP-2 share the same basic algorithms, RIP-2 
supports several new features, including inclusion of subnet masks in 
RIP packets and implementation of multicasting instead of broadcasting 
(which reduces the load on hosts which do not support routing protocols. 
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Configure 



• RIP-1 compatibility: Compatible with RIP version 1 

• RIP-2 with MD5: MD5 authentication is an extension of RIP-2 that 
increases security by requiring an authentication key when routes are 
advertised. 

• RIP MD5 Key: Secret password when using RIP-2 with MD5. 

• RIP Receive Mode: Specifies whether the Gateway should use Routing 
Information Protocol (RIP) broadcasts to update its routing tables with 
information received from other routers on your network. The protocol 
choices are the same as for the RIP send mode. 

• DHCP Server: Your Gateway can provide network configuration informa- 
tion to computers on your LAN, using the Dynamic Host Configuration Proto- 
col (DHCP). 



DHCP Server 



| Server H 



192.1 BB. 1.1 



Server Mode 
Starting IP Address 
Ending IP Address |1 92.1 6S.1 .254 
Lease Period (d:h :m :s) |DCJ:0l :00:00 
Submit 



If you already have a DHCP server on your LAN, you should turn this service 
off. 



If you want the Gateway to provide this service, click the Server Mode pull- 
down menu, choose Server, then configure the range of IP addresses that 
you would like the Gateway to hand out to your computers. 

You can also specify the length of time the computers can use the configu- 
ration information; DHCP calls this period the lease time. 
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Your Service Provider may, for certain services, want to provide configura- 
tion from its DHCP servers to the computers on your LANs. In this case, the 
Gateway will relay the DHCP requests from your computers to a DHCP 
server in the Service Provider's network. Click the relay-agent and enter the 
IP address of the Service Provider's DHCP server in the Server Address 
field. This address is furnished by the Service Provider. 



NOTE: 

This option only works when NAT is off and the gateway is in 
router mode. 



• Wireless: If your Gateway is a wireless model (such as a 3347W) you can 
enable or disable the wireless LAN (WLAN) by clicking the Wireless link. 



Wireless functionality is enabled by default. 



802.11 Wireless Settings 



Enable Wireless: 
Wireless ID (ESSID}: 5247 3521 

Default Channet: ' 6 

Enable Closed System Mode: Q 
Enable WEP Encryption: ' off - Na Privacy T] 

f Submit \ 



Other Wireless Options 



MAC Authorization Limit Wireless Access by MAC Address 
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If you uncheck the Enable Wireless checkbox, the Wireless Options are 
disabled, and the Gateway will not provide or broadcast any wireless LAN 
services. 

Wireless ID (ESSID): The ESSID is preset to a number that is unique to 
your unit. You can either leave it as is, or change it by entering a freeform 
name of up to 32 characters, for example "Ed's Wireless LAN". On client 
PCs' software, this might also be called the Network Name. The ESSID is 
used to identify this particular wireless LAN. Depending on their operating 
system or client wireless card, users must either: 

• select from a list of available wireless LANs that appear in a scanned list 
on their client 

• or, if you are in Closed System Mode (see Enable Closed System 

Mode below), enter this name on their clients in order to join this wire- 
less LAN. 

You can then configure: 

Default Channel: (1 through 11) on which the network will broadcast. This 
is a frequency range within the 2.4Ghz band. Channel selection depends on 
government regulated radio frequencies that vary from region to region. The 
widest range available is from 1 to 14. However, in North America only 1 to 
11 may be selected. Europe, France, Spain and Japan will differ. Channel 
selection can have a significant impact on performance, depending on 
other wireless activity close to this Gateway. Channel selection is not nec- 
essary at the client computers; the clients will scan the available channels 
seeking access points using the same ESSID as the client. 

Enable Closed System Mode: If enabled, Closed System Mode hides the 
wireless network from the scanning features of wireless client computers. 
Unless both the wireless clients and the Router share the same ESSID in 
Closed System mode, the Router's wireless LAN will not appear as an avail- 
able network when scanned for by wireless-enabled computers. Members of 
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the Closed System WLAN must log onto the Router's wireless network with 
the identical ESSID as that configured in the router. 

Closed System mode is an ideal way to increase wireless security and to 
prevent casual detection by unwanted neighbors, office users, or malicious 
users such as hackers. 

If you do not enable Closed System Mode, it is more convenient, but poten- 
tially less secure, for clients to access your WLAN by scanning available 
access points. You must decide based on your own network requirements. 

About Closed System Mode 

Enabling Closed System Mode on your wireless Gateway provides another 
level of security, since your wireless LAN will no longer appear as an avail- 
able access point to client PCs that are casually scanning for one. 

Your own wireless network clients, however, must log into the wireless LAN 
by using the exact ESSID of the Cayman Gateway. 

In addition, if you have enabled WEP encryption on the Cayman Gateway, 
your network clients must also have WEP encryption enabled, and must 
have the same WEP encryption key as the Cayman Gateway. 

Once the Cayman Gateway is located by a client computer, by setting the cli- 
ent to a matching ESSID, the client can connect immediately if WEP is not 
enabled. If WEP is enabled then the client must also have WEP enabled and 
a matching WEP key. 

Wireless client cards from different manufacturers and different operating 
systems accomplish connecting to a wireless LAN and enabling WEP in a 
variety of ways. Consult the documentation for your particular wireless card 
and/or operating system. 

Enable WEP Encryption: You can provide a level of data security by 
enabling WEP (Wired Equivalent Privacy) for encryption of network data. You 
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can enable 40-, 128-, or 256-bit WEP Encryption (depending on the capabil- 
ity of your client wireless card) for IP traffic on your LAN. 

You select a single key for encryption of outbound traffic. The WEP-enabled 
client must have an identical key of the same length, in the identical slot (1 
- 4) as the Gateway, in order to successfully receive and decrypt the traffic. 
Similarly, the client also has a 'default' key that it uses to encrypt its trans- 
missions. In order for the Gateway to receive the client's data, it must like- 
wise have the identical key of the same length, in the same slot. For 
simplicity, a Gateway and its clients need only enter, share, and use the 
first key. 



r — — — — — — — — — — — — — — — — — — — — — — — n 



B02.ll Wireless Settings 


Enable Wireless: 




Wireless ID (ESSID): 


5247 3521 


Default Channel: 




Enable Closed System Mods 


On - Automatic 
On - Manual Entry 


Enable WEP Encryption: 


•S Off - No Privacy ^^^^^^^^^^B 




Submit 



Other Wireless Options 



I MAC Authorization Limit Wireless Access by MAC Address | 

l — ______________________ j 

You are strongly encouraged to enable WEP encryption on your wireless 
LAN. 

The pull-down menu for enabling WEP offers three settings: Off - No Pri- 
vacy, On - Automatic, and On - Manual Entry. 

• Off - No Privacy provides no encryption on your wireless LAN data. 
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•On - Automatic is a passphrase generator. You enter a passphrase that 
you choose in the WEP key passphrase field. The passphrase can be 
any string of words or numbers. 

When you click the Submit button, the software generates encryption 
keys automatically. 
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NOTE: 

While clients may also have a passphrase feature, these are ven- 
dor-specific and may not necessarily create the same keys. You 
can passphrase generate a set of keys on one, and manually 
enter them on the other to get around this. 
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Select the Encryption Key Size #1 - #4 from their respective pull-down 
menus. The longer the key, the stronger the encryption and the more diffi- 
cult it is to break the encryption. 

Use WEP encryption key (1 - 4) # specifies which key the Gateway will 
use to encrypt transmitted traffic. The default is key #1. 

When you click the Submit button, the software generates encryption keys 
automatically. 
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•On - Manual Entry allows you to enter your own encryption keys manu- 
ally. This is a difficult process, but only needs to be done once. Avoid the 
temptation to enter all the same characters. 
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Encryption Key Size #1 -#4: Selects the length of each encryption key. 
The longer the key, the stronger the encryption and the more difficult it is to 
break the encryption. 

Encryption Key #1 - #4: The encryption keys. You enter keys using hexa- 
decimal digits. For 40/64bit encryption, you need ten digits; 26 digits for 
128bit, and 58 digits for 256bit WEP. Hexadecimal characters are 0-9, 
and a - f. 
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Examples: 

• 40bit: 02468ACE02 

• 128bit: 0123456789ABCDEF0123456789 

• 256bit: 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C 

Use WEP encryption key (1 - 4) #: Specifies which key the Gateway will 
use to encrypt transmitted traffic. The default is key #1. 

You disable the wireless LAN by unchecking the Enable Wireless checkbox, 
clicking the Submit button, followed by the Save and Restart link. 
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Wireless MAC Authentication: allows you to specify which client PCs are 
allowed to join the wireless LAN by specific hardware address. Once it is 
enabled, only entered MAC addresses that have been set to Allow will be 
accepted onto the wireless LAN. All unlisted addresses will be blocked, in 
addition to the listed addresses with Allow disabled. 

To enable Wireless MAC Authentication, click the MAC Authorization link. 

When the Wireless MAC Authentication screen appears, check the Enable 
Wireless MAC Authentication checkbox: 



Wireless MAC Authentication 



Enable Wireless MAC Authentication: |_J 
(Submit) 



The screen expands as follows: 



Wireless MAC Authentication 



Enable Wireless MAC Authentication: ^ 
Submit) 



To add a n ew Wireless MAC Address, press the "Ad d" button 



Authorized Wireless MAC Addresses 



No wireless MAC entries have been defined 



''Add'' 



Click the Add button. The Authorized Wireless MAC Address Entry 

screen appears. 
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Authorized Wireless MAC Address Entry 


Allow Access? 


Hardware MAC Address 


0 00 




0a - 

Submi 


27 

0 


- [aej - |7lJ - [ajjj 



Enter the MAC (hardware) address of the client PC you want to authorize for 
access to your wireless LAN. The Allow Access? checkbox is enabled by 
default. Unchecking this checkbox specifically denies access from this MAC 
address. Click the Submit button. 

Your entry will be added to a list of up to 32 authorized addresses as 
shown: 



Wireless MAC Authentication 



Enable Wireless MAC Authentication: ^ 



f Submit S| 



To add a new Wireless MAC Address, press the "Add" button. 
To edit or delete a Wireless MAC Address, select the entry and press the 

"Edit" or "Delete" button. 



Authorized Wireless MAC Addresses 



Wireless MAC Address = 00-Oa-27-ae-71-a3 - Allowed 



■'' Add ^ ''Edit'' 'Delete" 



You can continue to Add, Edit , or Delete addresses to the list by clicking the 
respective buttons. 
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After your first entry, the Alert icon will appear in the upper right cor- 

ner of your screen. When you are finished adding addresses to the list, click 
the Alert icon, and Save your changes and restart the Gateway. 

Wireless Hotspot Support (keyed feature). Your wireless Gateway now 
supports user name and password login, if you have the Wireless Hotspot 
feature key installed. See "Install Keys" on page 149. 

By enabling this feature you can limit wireless access through your Gateway 
by requiring members of a list of Authorized Wireless Users to log in with 
a username and password before entering your network. (User authentica- 
tion is only required for WAN access and does not prevent LAN access.) The 
Hotspot Support key also adds RADIUS server support in the Advanced 
Configuration page. See "RADIUS Server" on page 75. 

When this feature is enabled, users that are not on the Authorized Wire- 
less Users list (or who have had their access disabled) will be prevented 
from accessing the WAN. Once you install the feature key, the 802.11 Wire- 
less Settings screen offers an additional link - User Setup . 

r — — — — — — — — — — — — — — — — — — — — i 



802.11 Wireless Settings 



Enable Wireless: v? 
SSI D (Network ID): 5247 3521 
Use Encryption: Off - No Privacy % ~] 

f Submit v 



Other Wireless Options 



| Advanced Advanced Configuration Options | 

| User Setup Configure Wireless Access by User | 

L — — — — — — — — — — — — — — — — — — — — J 
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Click the User Setup link. The Wireless User Authentication page 
appears. 



Wireless User Authentication 



Enable User Authentication: 



f Submit I 



Check the Enable User Authentication checkbox and click the Submit but- 
ton. The screen expands to allow you to add users. 



Wireless User Authentication 



Enable Wireless User Authentication: 



f Submit 1 



To add a new Wireless User, press the "Add" button. 



Authorized Wireless Users 



No wireless users have been defined 



(Add} 



Click the Add button. The Authorized Wireless Users Entry screen 
appears. 



Authorized Wireless Users Entry 


Allow Access? 


Username 




Password 


— 


1 




Submit) 
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Allow Access is checked by default (you can uncheck it to specifically deny 
access to a particular user). Enter a Username and Password in the 
respective fields and click the Submit button. The fields will clear and you 
can enter another Username and Password, up to 16 users. 

After your first entry, the Alert icon B ' K ' " will appear in the upper right cor- 
ner of your screen. When you are finished adding users to the list, click the 
Alert icon, and Save your changes and restart the Gateway. 

If you need to Add, Edit (or Disallow), or Delete users later, return to the 
Wireless User Authentication screen, where you can select users from 
the current Authorized Wireless Users list for any of these functions. 



Wireless User Authentication 



Enable Wireless User Authentication: 
if Submit \ 



To add a new Wireless User, press the "Add " button. 
To edit or delete a Wireless User, select the entry and press the "Edit" or 

"Delete" button. 



Authorized Wireless Users 



tony It - Allowed 
mikem - Allowed 



f Add ) ' Edit s ( Delgte ) 



Configure 



After your making any changes, the Alert icon ■ " " will appear in the upper 
right corner of your screen. When you are finished making your changes, 
click the Alert icon, and Save your changes and restart the Gateway. 




Optionally, if RADIUS servers are configured, a user may be veri- 
fied by RADIUS if the user does not exist locally. 
The Hotspot Support key adds RADIUS server support in the 
Advanced Configuration page. See below. 



If they log in successfully, users will be forwarded to the original 
web destination that they tried to access. Users will simply 
encounter a username/password dialog box on the way to some 
web address they were going to, like www.mumble.com. 



RADIUS Server. See "Wireless Hotspot Support (keyed feature)" on 
page 72. 

RADIUS servers allow external authentication of users by means of a 
remote authentication database. The remote authentication database is 
maintained by a Remote Authentication Dial-In User Service (RADIUS) 
server. In conjunction with Wireless User Authentication, you can use a 
RADIUS server database to authenticate users seeking access to the wire- 
less services, as well as the authorized user list maintained locally within 
the Gateway. 

RADIUS server support is enabled when the Wireless Hotspot feature key is 
installed. 
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Network Configuration 


IP Static Routes 


Build IP static routE tablE 


IP Static ARP 


Build IP static ARP table 


NAT 


PinholEs 


SEt up pinholES through NAT 


IPMaps 


SEt up NAT one-to-one IP address mappings 


Default SErvar 


SEt up NAT default SErvEr options 


Services 


DNS 


Set up DNS options 


DHCP ServEr 


SEt up DHCP SErvEr and re lay-agEnt options 


RADIUS SErver 


SEt up RADIUS SErvEr options 


SNMP 


SEt up SNMP community, trap and systsm group options 


EbhErnEt Brido.E 


SeI up EthEmEt MAC bridge 


Mtecallanaoua 


SvstE m 


Configure SystEm paramstErs 


Svsloa ParametErs 


SEt up Syslog 


IntErnal SErvErs 


Configure intErnal WEb and tElnet ports 


Software Hosting 


SeI up Software Hosting 


ClEar Options 


Restore thE Gateway to its factory configuration 



You access the RADIUS Server configuration screen from the Advanced Net- 
work Configuration web page, by clicking the RADIUS Server link. 
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The RADIUS Servers screen appears. 



Radius Servers 



RADIUS Server Addr/Name 
RADIUS Server Secret 
Alt RADIUS Server Addr/Name 
All RADIUS Server Secret 
Radius Server Pert 1812 

f Submit v - 
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L _ _ _ __________________ J 

RADIUS Server Addr/Name: The default RADIUS server name or IP 
address that you want to use. 

RADIUS Server Secret: The RADIUS secret key used by this server. The 
shared secret should have the same characteristics as a normal pass- 
word. 

Alt RADIUS Server Addr/Name: An alternate RADIUS server name or 
IP address to be used if the primary server is unreachable. 
Alt RADIUS Server Secret: The secret key used by the alternate 
RADIUS server. 

Radius Server Port: This field specifies the port on which the RADIUS 
server is listening. The default value is 1812. 



When you are finished, click the Submit button. 
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Link: Configure -> WAN 



r — — — — — — — — — — — — — — — — — — i 



1 WAN IP Interfaces I 


PPP over Ethernet vccl 


Configure this IP interface 



IP Gateway 



Enable Gateway Option P* 
Interface Type | PPP [vccl) ~\ 

Submit 



Other WAN Options 



■ ATM Set up ATM circuits ■ 
w — — — — — — — — — — — — — — — — — — J 

WAN IP Interfaces 

Your IP interfaces are listed. Click on an interface to configure it. 

IP Gateway 

Enable Gateway: You can configure the Gateway to send packets to a 
default gateway if it does not know how to reach the destination host. 

Interface Type: If you have PPPoE enabled, you can specify that packets 
destined for unknown hosts will be sent to the gateway being used by the 
remote PPP peer. If you select ip-address, you must enter the IP address 
of a host on a local or remote network to receive the traffic. 

Default Gateway: The IP Address of the default gateway. 
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Other WAN Options 

PPPoE: You can enable or disable PPPoE. This link also allows configura- 
tion of NAT, admin restrictions, PPPoE username/password, and connec- 
tion type. 

ATM Circuits: You can configure the ATM circuits and the number of Ses- 
sions. The IP Interface(s) should be reconfigured after making changes 
here. 



Available Encapsulation types: 

PPP over Ethernet (PPPoE) 
PPP over ATM (PPPoA) 
RFC-1483 Bridged Ethernet 
RFC-1483 Routed IP 
None 



Available Multiplexing types: 

LLC/SNAP 
VC muxed 



| ATM Circuits 


vcc 


VPI VCI 


Encapsulation 


Multiplexing 


1 


o [o 


PPP over Ethernet 


LLC/SNAP - 



To turn off a VCC, set its encapsulation to None. 



Submit 



Other ATM Options 



ATM Traffic Shapir o Configure ATM Traffic Shaping Options 



L____ ____ ____ ____ ____J 

COS Version 7 supports VPI/VCI autodetection by default. If VPI/VCI 
autodetection is enabled, the ATM Circuits page displays VPI/VCI = 0. If 
you configure a new ATM VPI/VCI pair, upon saving and restarting, auto- 
detection is disabled and only the new VPI/VCI pair configuration will be 
enabled. 
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VPI/VCI Autodetection consists of eight static VPI/VCI pair configura- 
tions. These are 0/35, 8/35, 0/32, 1/35, 8/32, 1/1, 1/32, 2/32. 
These eight VPI/VCI pairs will be created if the Gateway is configured for 
autodetection. If the Gateway does not train to any of these preconfig- 
ured VPI/VCI pairs, then you can manually enter a VPI/VCI pair in the 
ATM Circuits page. 

ATM Traffic Shaping: You can prioritize delay-sensitive data by configur- 
ing the Quality of Service (QoS) characteristics of the virtual circuit. Click 
the ATM Traffic Shaping link. 



ATM Traffic Shaping 


VCC 


Service 
Class 


Peak Cell 
Rate 


Sustained 
Cell Rate 


Maximum 
Burst Size 


1 






0 





L 



VBR 



' Submit) 



I 



You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or 
VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell 
Rate (PCR) in the editable field. 

UBR (Unspecified Bit Rate) guarantees no minimum transmission rate. 
Cells are transmitted on a "best effort" basis. However, there is a cap 
on the maximum transmission rate for UBR VCs. In a practical situation: 

• UBR VCs should be transmitted at a priority lower than CBR. 

• Bandwidth should be shared equally among UBR VCs. 

UBR applications are non-real-time traffic such as IP data traffic. 

CBR (Constant Bit Rate) guarantees a certain transmission rate 
(although the application may underutilize this bandwidth). A Peak Cell 
Rate (PCR) characterizes CBR. CBR is most suited for real time applica- 
tions such as real time voice / video. Although it can be used for other 
applications. 

VBR (Variable Bit Rate) This class is characterized by: 
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• a Peak Cell Rate (PCR), which is a temporary burst, not a sustained 
rate, and 

• a Sustained Cell Rate (SCR), 

• a Burst Tolerance (BT), specified in terms of Maximum Burst Size 

(MBS). The MBS is the maximum number of cells that can be transmitted 
at the peak cell rate and should be less than, or equal to the Peak Cell 
Rate, which should be less than, or equal to the line rate. 

VBR has two sub-classes: 

a. VBR non-real-time (VBR-nrt): Typical applications are non-real-time traf- 
fic, such as IP data traffic. This class yields a fair amount of Cell Delay 
Variation (CDV). 

b. VBR real time (VBR-rt): Typical applications are real-time traffic, such 
as compressed voice over IP and video conferencing. This class trans- 
mits cells with a more tightly bounded Cell Delay Variation. The applica- 
tions follow CBR. 



Service 
Class 

VBR ; 1 



ATM Traffic Shaping 



Peak Cell 
Rate 



Sustained 
Cell Rate 



Maximum 
Burst Size 



0 



f _ Submit j 



Note: 

The difference between VBR-rt and VBR-nrt is the tolerated Cell 
Delay Variation range and the provisioned Maximum Burst Size. 
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Class 


PCR 


SCR 


MBS 


Transmit Priority 


Comments 


UBR 


X 


N/A 


N/A 


Low 


PCR is a cap 


CBR 


X 


N/A 


N/A 


High 


PCR is a guaranteed rate 


VBR 


X 


X 


X 


High 


PCR > SCR. 



SCR is a guaranteed rate. 
PCR is a cap. 
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Link: Advanced 

Selected Advanced options are discussed in the pages that follow. Many 
are self-explanatory or are dictated by your service provider. 

The following are links under Configure -> Advanced: 



Network Configuration 


IP Static Routes 


Build IP static route table 


IP Static ARP 


Build IP static ARP table 


1 NAT 


PinhclES 


Setup pinhplesthrpugh NAT 


IPMaps 


Set up NAT one-to-one IP address mappings 


DEfault Server 


Set up NAT default server options 


Services 


DNS 


Set up DNS pptions 


DHCP Server 


Setup DHCPsErvEr and rElay~agent options 


RADIUS Server 


Set up RADIUS server options 


SNMP 


Set up SNMP community, trap and system group options 


Ethernet Bridae 


Set up ethernet MAC bridge 


Miscellaneous 


Svstem 


Configure System parameters 


SvsIdq Parameters 


Set up Syslog 


Internal Servers 


Configure internal web and telnet ports 


Software Hosting 


Set up Software Hosting 


Clear Options 


Restore the Gateway to its factory configuration 



Link: IP Static Routes 

A static route identifies a manually configured pathway to a remote network. 
Unlike dynamic routes, which are acquired and confirmed periodically from 
other routers, static routes do not time out. Consequently, static routes are 
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useful when working with PPP, since an intermittent PPP link may make 
maintenance of dynamic routes problematic. 



You can configure as many as 32 static IP routes for the Gateway. 



r — — — — — — — — — — — — — i 



J IP Static Route Entry 


Destination Network 0.0.0.0 


Netmask 


0.0.0.0 


Interface Type 


' PPP (vccl) i ; | 


Gateway 


0.0.0.0 


Metric 




RIP Advertise 


'Spirt Horizon \ i\ 


^5ubmit A 

v 
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Link: IP Static ARP 

Your Gateway maintains a dynamic Address Resolution Protocol (ARP) table 
to map IP addresses to Ethernet (MAC) addresses. It populates this ARP 
table dynamically, by retrieving IP address/MAC address pairs only when it 
needs them. Optionally, you can define static ARP entries to map IP 
addresses to their corresponding Ethernet MAC addresses. Unlike dynamic 
ARP table entries, static ARP table entries do not time out. The IP address 
cannot be 0.0.0.0. The Ethernet MAC address entry is in nn-nn-nn-nn-nn-nn 
(hexadecimal) format. 
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r — — — — — — — — — — — — — — — — — — — 1 



IP Static ARP Entry | 


IP Address 


Hardware MAC Address 


0.0.0.0 


|oo" - |oo" - [ocT - [rjcT - |oo" - 00 



Submit 
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Link: Pinholes 

Pinholes allow you to transparently route selected types of network traffic, 
such as FTP requests or HTTP (Web) connections, to a specific host behind 
the Gateway. Creating a pinhole allows access traffic originating from a 
remote connection (WAN) to be sent to the internal computer (LAN) that is 
specified in the Pinhole page. 

Pinholes are common for applications like multiplayer online games. Refer 
to software manufacturer application documentation for specific traffic 
types and port numbers. 



r — — — — — — — — — — — — — — — — — — — n 

■ To create a new pinhole entry, press the "Add" button. ■ 



Pinholes 



Ato pinhole entries have been defined 




Configure Specific Pinholes. Planning for Your Pinholes. Determine if 
any of the service applications that you want to provide on your LAN sta- 
tions use TCP or UDP protocols. If an application does, then you must con- 
figure a pinhole to implement port forwarding. This is accessed from the 
Advanced -> Pinholes page. 
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Example: A LAN Requiring Three Pinholes . The procedure on the fol- 
lowing pages describes how you set up your NAT-enabled Cayman Gateway 
to support three separate applications. This requires passing three kinds of 
specific IP traffic through to your LAN. 

Application 1: You have a Web server located on your LAN behind your Cay- 
man Gateway and would like users on the Internet to have access to it. With 
NAT "On", the only externally visible IP address on your network is the Gate- 
way's WAN IP (supplied by your Service Provider). All traffic intended for that 
LAN Web server must be directed to that IP address. 



Application 2: You want one of your LAN stations to act as the "central 
repository" for all email for all of the LAN users. 

Application 3: One of your LAN stations is specially configured for game 
applications. You want this specific LAN station to be dedicated to games. 

A sample table to plan the desired pinholes is: 



WAN Traffic Type 


Protocol 


Pinhole Name 


LAN Internal IP 
Address 


Web 


TCP 


my-webserver 


192.168.1.1 


Email 


TCP 


my-mailserver 


192.168.1.2 


Games 


UDP 


my-games 


192.168.1.3 



For this example, Internet protocols TCP and UDP must be passed through 
the NAT security feature and the Gateway's embedded Web (HTTP) port 
must be re-assigned by configuring new settings on the Internal Servers 
page. 



TIPS for making Pinhole Entries: 

1. If the port forwarding feature is required for Web services, 
ensure that the embedded Web server's port number is re- 
assigned PRIOR to any Pinhole data entry. 
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2. Enter data for one Pinhole at a time. 

3. Use a unique name for each Pinhole. If you choose a duplicate 
name, it will overwrite the previous information without warning. 
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A diagram of this LAN example is: 




Gateway 



N 



WAN 
Ethernet 
Interface 
210.219.41.20 



LAN 

Ethernet 
Interface 




Embedded NAT Pinholes 
Web Server 
1 210.219.41.20:8100 



my-mailserver 
192.168.1.2 




my-webserver 
192.168.1.1 




my-games 
192.168.1.3 



You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 
to access the web and 192.168.1.x:23 to access the telnet server. 



88 



Configure 



Pinhole Configuration Procedure. Use the following steps: 

1. From the Configure toolbar button -> Advanced link, select the Internal 
Servers link. 

Since Port Forwarding is required for this example, the Cayman embed- 
ded Web server is configured first. 



NOTE: 

The two text boxes, Web (HTTP) Server Port and Telnet Server 

Port, on this page refer to the port numbers of the Cayman Gate- 
way's embedded administration ports. 



To pass Web traffic through to your LAN station(s), select a Web (HTTP) Port 
number that is greater than 1024. In this example, you choose 8100. 

2. Type 8100 in the Web (HTTP) Server Port text box. 



Internal Servers 



Enter a value from 1 to 65534 1 
Web [HTTP) Server Port|eioo 
Telnet Server Port |23 

Submit 



3. Click the Submit button. 

4. Click Advanced . Select the Pinholes link to go to the Pinhole page. 
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Click Add . Type your specific data into the Pinhole Entries table of this 
page. Click Submit . 



Pinhole Entry 



my-webserver 



Pinhole Name 
Protocol Select |TCP jJ 
External Port Start |G0 
External Port End [e5 



Internal IP Address |132.1 BB.1 .1 
Internal Port 80 
Submit 



Add or Edit more Pinholes 



Click on the Add or Edit more Pinholes link. Click the Add button. Add the 
next Pinhole. Type the specific data for the second Pinhole. 

r. — — — — — — — — — — — — — n 



Pinhole Entry 



Pinhole Name |my-mailserver 
Protocol Select (TCP 
External Port Start |25 
External Port End |25 



Internal IP Address |i 92.1 66. 1.2 
Internal Port [25 
Submit 



Add or Edit more Pinholes 



Configure 



7. Click on the Add or Edit more Pinholes link. Click the Add button. Add the 

next Pinhole. Type the specific data for the third Pinhole. 

r — — — — — — — — — — — — n 



Pin hate Entry 



Pinhole Name [my-games 
Protocol Select | UDP 
External Port Start |l 1 DO 
External Port End |i200 
Internal IP Address 
Internal Port 



192.1 66.1 ,3 



|1 1 00 
Submit 



Add or Edit more Pinholes 



NOTE: 

Note the following parameters for the "my-games" Pinhole: 

1. The Protocol ID is UDP. 

2. The external port is specified as a range. 

3. The Internal port is specified as the lower range entry. 
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8. Click on the Add or Edit more Pinholes link. Review your entries to be 

sure they are correct, 
r n 

To create a new pinhole entry, press the "Add" button. 

To edit or delete a pinhole entry, select the entry and press the "Edit" or 

"Delete" button. 



Pinholes 



Narr.e-rry-webserver Protocol-TCP lnsidelPAddr-192.1 6 6.1 .1 
Name-my-rnailserver Protocol-TCP lnsidBlPAddr-1 92.1 6B.1 .2 
Narre-my- games Protocol-UDP lnsidElPAddr-192.1 6B.1 .3 



Add | Edit | Delete | 



L 

9. Click the Alert button. 



io. Select the Save and Restart link to complete the entire Pinhole creation 
task and ensure that the parameters are properly saved. 



NOTE: 

REMEMBER: When you have re-assigned the port address for the 
embedded Web server, you can still access this facility. 
Use the Gateway's WAN address plus the new port number. 
In this example it would be 

<WAN Gateway address>:<new port number> or, in this case, 
210.219.41.20:8100 

You can also use the LAN-side address of the Gateway, 
192.168.1.x:8100 to access the web and 192.168.1.x:23 to 
access the telnet server. 
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Link: IPMaps 

IPMaps supports one-to-one Network Address Translation (NAT) for IP 
addresses assigned to servers, hosts, or specific computers on the LAN 
side of the Cayman Gateway. 

A single static or dynamic (DHCP) WAN IP address must be assigned to sup- 
port other devices on the LAN. These devices utilize Cayman's default NAT/ 
PAT capabilities. 

r — — — — — — — — — — — — — — i 



IP Map Entry 



IP Map Entry Name 


1 


Internal IP Address 


192.1&S.1.0 




External IP Address 


0,0,0,0 





Submit 



L______________J 

Configure the IPMaps Feature 
FAQs for the IPMaps Feature 

Before configuring an example of an IPMaps-enabled network, review these 
frequently asked questions. 

What are IPMaps and how are they used? The IPMaps feature allows 
multiple static WAN IP addresses to be assigned to the Cayman Gateway. 

Static WAN IP addresses are used to support specific services, like a web 
server, mail server, or DNS server. This is accomplished by mapping a sep- 
arate static WAN IP address to a specific internal LAN IP address. All traffic 
arriving at the Gateway intended for the static IP address is transferred to 
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the internal device. All outbound traffic from the internal device appears to 
originate from the static IP address. 

Locally hosted servers are supported by a public IP address while LAN 
users behind the NAT-enabled IP address are protected. 

IPMaps is compatible with the use of NAT, with either a statically assigned 
IP address or DHCP/PPP served IP address for the NAT table. 

What types of servers are supported by IPMaps? IPMaps allows a Cay- 
man Gateway to support servers behind the Gateway, for example, web, 
mail, FTP, or DNS servers. VPN servers are not supported at this time. 

Can I use IPMaps with my PPPoE or PPPoA connection? Yes. IPMaps 
can be assigned to the WAN interface provided they are on the same 

subnet. Service providers will need to ensure proper routing to all IP 
addresses assigned to your WAN interface. 

Will IPMaps allow IP addresses from different subnets to be assigned 
to my Gateway? IPMap will support statically assigned WAN IP addresses 
from the same subnet. 

WAN IP addresses from different subnets are not supported. 
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IPMaps Block Diagram 

The following diagram shows the IPMaps principle in conjunction with exist- 
ing Cayman NAT operations: 

Cayman Gateway 
WAN Interface LAN Interface 




LAN stations with WAN IP traffic 
forwarded by Cayman's IPMaps 



LAN stations with WAN IP traffic 
forwarded by Cayman's NAT function. 

IPMaps: 
One-to-One 

Multiple Address Mapping 
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Link: Default Server 



This feature allows you to: 

• Direct your Gateway to forward all externally initiated IP traffic (TCP and 
UDP protocols only) to a default host on the LAN. 

• Enable it for certain situations: 

- Where you cannot anticipate what port number or packet protocol an 
in-bound application might use. For example, some network games 
select arbitrary port numbers when a connection is opened. 

- When you want all unsolicited traffic to go to a specific LAN host. 

• Configure for IP Passthrough. 

Configure a Default Server. This feature allows you to direct unsolicited 
or non-specific traffic to a designated LAN station. With NAT "On" in the 
Gateway, these packets normally would be discarded. 

For instance, this could be application traffic where you don't know (in 
advance) the port or protocol that will be used. Some game applications fit 
this profile. 



Use the following steps to setup a NAT default server to receive this infor- 
mation: 

1. Select the Configure toolbar button, then Advanced , then the Default 
Server link. 

2. From the pull-down menu, select Default-Server . The NAT Server IP 
Address field appears. 



D ef a u It Server 


Nat Default Mode 


[Default-Server 


NAT Server IP Address 


0.0.0.0 


' Submrt 1 ! 
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3. Determine the IP address of the LAN computer you have chosen to 
receive the unexpected or unknown traffic. 

Enter this address in the NAT Server IP Address field. 

4. Click the Submit button. 

5. Click the Alert button. 

6. Click the Save and Restart link to confirm. 
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Typical Network Diagram. A typical network using the NAT Default Server 
looks like this: 




Gateway 



WAN 
Ethernet 
Interface 
210.219.41.20 




LAN 

Ethernet 
Interface 



NAT 



Embedded 
Web Server 
210.219.41.20 

(Port 80 default) 



NAT Default 
Server 




LAN STN #2 
^T~ ^^ 192.168.1.2 

NAT protected 




NAT Default Server 
192.168.1.1 



You can also use the LAN-side address of the Gateway, 192.168.1.x to 
access the web and telnet server. 
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NAT Combination Application. Cayman's NAT security feature allows you 
to configure a sophisticated LAN layout that uses both the Pinhole and 
Default Server capabilities. 

With this topology, you configure the embedded administration ports as a 
first task, followed by the Pinholes and, finally, the NAT Default Server. 

When using both NAT pinholes and NAT Default Server the Gateway works 
with the following rules (in sequence) to forward traffic from the Internet to 
the LAN: 

1. If the packet is a response to an existing connection created by outbound 
traffic from a LAN PC, forward to that station. 

2. If not, check for a match with a pinhole configuration and, if one is found, 
forward the packet according to the pinhole rule. 

3. If there's no pinhole, the packet is forwarded to the Default Server. 

IP-Passthrough. COS Version 7 now offers an IP passthrough feature. The 
IP passthrough feature allows a single PC on the LAN to have the Gateway's 
public address assigned to it. It also provides PAT (NAPT) via the same pub- 
lic IP address for all other hosts on the private LAN subnet. Using IP 
passthrough: 

• The public WAN IP is used to provide IP address translation for private 
LAN computers. 

• The public WAN IP is assigned and reused on a LAN computer. 

• DHCP address serving can automatically serve the WAN IP address to a 
LAN computer. 

When DHCP is used for addressing the designated passthrough PC, the 
acquired or configured WAN address is passed to DHCP, which will 
dynamically configure a single-servable-address subnet, and reserve the 
address for the configured MAC address. This dynamic subnet configura- 
tion is based on the local and remote WAN address and subnet mask. If 
the WAN interface does not have a suitable subnet mask that is usable, 
for example when using PPP or PPPoE, the DHCP subnet configuration 



99 



will default to a class C subnet mask. 



r — — — — — — — — — — — — — — — — — — — — — — ^ 



I Default Server 1 


Nat Default Mode 

■ 

Host Hardware Address 00 


t 

i 

- 00 

Submit 


P-Passthroughl i \ 
-00 - 00 - 00 - 00 



L______________________J 



If you select IP-Passthrough the Host Hardware Address field displays. 
Here you enter the MAC address of the designated IP-Passthrough com- 
puter. 

• If this MAC address is not all zeroes, then it will use DHCP to set the LAN 
host's address to the (configured or acquired) WAN IP address. 

The MAC address must be six colon-delimited or dash-delimited sets of 
hex digits ('0' - TP). 

• If the MAC address is all zeroes, then the LAN host will have to be config- 
ured manually. 



Once configured, the passthrough host's DHCP leases will be shortened to 
two minutes. This allows for timely updates of the host's IP address, which 
will be a private IP address before the WAN connection is established. After 
the WAN connection is established and has an address, the passthrough 
host can renew its DHCP address binding to acquire the WAN IP address. 

A restriction. Since both the Gateway and the passthrough host will use 
the same IP address, new sessions that conflict with existing sessions will 
be rejected by the Gateway. For example, suppose you are a teleworker 
using an IPSec tunnel from the Gateway and from the passthrough host. 
Both tunnels go to the same remote endpoint, such as the VPN access con- 
centrator at your employer's office. In this case, the first one to start the 
IPSec traffic will be allowed; the second one - since, from the WAN, it's 
indistinguishable - will fail. 
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Link: DNS 

Your Service Provider may maintain a Domain Name server. If you have the 
information for the DNS servers, enter it on the DNS page. If your Gateway 
is configured to use DHCP to obtain its WAN IP address, the DNS informa- 
tion is automatically obtained from that same DHCP Server. 



r 

I " 

I 

I 

I 

I 

I 

I 

I 



I 
I 

L 



your service provider hosts a Domain Name Server, you may enter the 
domain name and IP address associated with the server here. 

If you are receiving DNS information dynamically from your service 
provider, the server addresses must be entered as "0. 0,0.0". 





Domain Name 

Primary DNS Server Addre 

Secondary DNS Server Ad 


:ss 0.0 
dress 0.0 
Submit 


0.0 
0,0 



Link: DHCP Server 

Your Gateway can provide network configuration information to computers 
on your LAN, using the Dynamic Host Configuration Protocol (DHCP). 

If you already have a DHCP server on your LAN, you should turn this service 
off. 

If you want the Gateway to provide this service, click the Server Mode pull- 
down menu, then configure the range of IP addresses that you would like 
the Gateway to hand out to your computers. 
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You can also specify the length of time the computers can use the configu- 
ration information; DHCP calls this period the lease time. 

Your Service Provider may, for certain services, want to provide configura- 
tion from its DHCP servers to the computers on your LANs. In this case, the 
Gateway will relay the DHCP requests from your computers to a DHCP 
server in the Service Provider's network. 



Click the relay-agent and enter the IP address of the Service Provider's 
DHCP server in the Server Address field. This address is furnished by the 
Service Provider. 



DHCP Server 



Server Mode 



Relay-agent ^ ) 



Server IP Address o.o.o.o 



[ Subrmit~] 
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Link: SNMP 

The Simple Network Management Protocol (SNMP) lets a network adminis- 
trator monitor problems on a network by retrieving settings on remote net- 
work devices. The network administrator typically runs an SNMP 
management station program on a local host to obtain information from an 
SNMP agent. In this case, the Cayman Gateway is an SNMP agent. Your 
Gateway supports SNMP-V2. 

You enter SNMP configuration information on this page. 
Your network administrator furnishes the SNMP parameters. 
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Communities 


Read Commjnity Name 
Write Community Name 
Trap Community Name 


public 


private 


trap community 


System Group 


System Contact 
System Location 




Submit | 



SNMP Trap Addresses 




WARNING: 

SNMP presents you with a security issue. The community 
facility of SNMP behaves somewhat like a password. The 
community "public" is a well-known community name. It 
could be used to examine the configuration of your Gateway 
by your service provider or an uninvited reviewer. The infor- 
mation can be read from the Gateway. 
If you are strongly concerned about security, you may 
delete the "public" community. 
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Link: Advanced -> Ethernet Bridge 

The Cayman Gateway can be used as a bridge, rather than a router. A 
bridge is a device that joins two networks. As an Internet access device, a 
bridge connects the home computer directly to the service provider's net- 
work equipment with no intervening routing functionality, such as Network 
Address Translation. Your home computer becomes just another address 
on the service provider's network. In a DSL connection, the bridge serves 
simply to convey the digital data information back and forth over your tele- 
phone lines in a form that keeps it separate from your voice telephone sig- 
nals. 

If your service provider's network is set up to provide your Internet connec- 
tivity via bridge mode, you can set your Cayman Gateway to be compatible. 

Bridges let you join two networks, so that they appear to be part of the 
same physical network. As a bridge for protocols other than TCP/IP, your 
Gateway keeps track of as many as 512 MAC (Media Access Control) 
addresses, each of which uniquely identifies an individual host on a net- 
work. Your Gateway uses this bridging table to identify which hosts are 
accessible through which of its network interfaces. The bridging table con- 
tains the MAC address of each packet it sees, along with the interface over 
which it received the packet. Over time, the Gateway learns which hosts are 
available through its WAN port and/or its LAN port. 

When configured in Bridge Mode, the Cayman will act as a pass-through 
device and allow the workstations on your LAN to have public addresses 
directly on the internet. 




NOTE: 



In this mode the Cayman is providing NO firewall protection as is 
afforded by NAT. Also, only the workstations that have a public 
address can access the internet. This can be useful if you have 
multiple static public IPs on the LAN. 
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Configuring for Bridge Mode 

1. Browse into the Cayman Gateway's web interface. 

2. Click on the Configure button in the upper Menu bar. 

3. Click on the LAN link. 

The LAN page appears. 



LAN IP Interface 
(Ethernet 100BT) 



Enable Interface F* 
IP Address 
IP Netmask 
Restrictions 



1 92. 16B. 1.254 



255.255.255.0 



I None 
Submit 



d 



Other LAN Options 



Advanced Configure advanced IP settings 
DHCP Server Configure DHCP server options 



4. In the box titled LAN IP Interface (Ethernet 100BT): 



LAN IP Interface 
(Ethernet 1O0BT) 



Enable Interface p* 
IP Address 
IP Netmask [255.255.255.0 
Restrictions I None 



1 92. 16B. 1.254 



Submit 



d 



a. Check the Enable Interface selection. 

*Make note of the Ethernet IP Address and subnet mask. 
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You can use this address to access the router in the future, 
b. Click Submit . 

Click on the Advanced link in the left-hand links toolbar. 
Under the heading of Services, click on the Ethernet Bridge link. 

The Ethernet Bridge page appears. 



I 



I 



Ethernet Bridge 



Enable Bridging Function I - 



Check the Enable Bridging Function selection. 

The window expands. 



I 



Ethernet Bridge 



Enable Bridging Function p" 



Ethernet 1O0BT (LAN) 



Enable Bridging on Port 



PPP over Ethernet vcd [WAN} 



Enable Bridging on Port 
Submit 



Under Ethernet 100BT (LAN): 

Check the Enable Bridging on Port selection. 

Under RFC-1483 Bridged Ethernet vcd (WAN), or under PPP over Ether- 
net vcd (WAN) [as per your configuration]: 

a. Check the Enable Bridging on Port selection. 

b. Click Submit. 



Configure 



10. At this point you should be ready to do the final save on the configuration 

changes you have made. 

r — — — — — — — n 
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The yellow Alert symbol will show up underneath the Help button on the 
right-hand end on the menu bar. 

11. Click on this symbol and you will see whether your changes have been 
verified. 



12. If you are satisfied with the changes you have made, click Save and 
Restart in the Save Database box to Apply changes and restart Gateway. 



| Home 


Configure Troubleshoot Security Install 


Restart Help 




Home Comflaure Save Changes ^ 


netupia. 








Changes have been made to the Gateway database. You must save the changes 


Quickstart 


and restart the Gateway in order for the changes to take effect. 


LAM 






WAN 


I Save Database 




Advanced 


Save Apply changes made to the database 






Save and Restart Aoolv changes and restart Gateway 






I Check Database 






Review Review the contents of the database 






Validate Validate edited database 






Revert Database 






Revert Restore to settinos before edits 






CMfig Mode vl.2 

validation passed l 






©2003 Netopia, Inc. 



You have now configured your Cayman Gateway for bridging, and it will 
bridge all traffic across the WAN. You will need to make configurations to 
your machines on your LAN. These settings must be made in accordance 
with your ISP. If you ever need to get back into the Cayman Gateway again 
for management reasons, you will need to manually configure your machine 
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to be in the same subnet as the Ethernet interface of the Cayman, since 
DHCP server is not operational in bridge mode. 



Link: System 

The System Name defaults to your Gateway's factory identifier combined 
with its serial number. Some cable-oriented Service Providers use the Sys- 
tem Name as an important identification and support parameter. If your 
Gateway is part of this type of network, do NOT alter the System Name 
unless specifically instructed by your Service Provider. 





System | 


System Name 


|cayrnan-DSL1102043 


Log Message Level 


| High 




Submit | 





The System Name can be 1-63 characters long; it can include embedded 
spaces and special characters. 

The Log Message Level alters the severity at which messages are col- 
lected in the Gateway's system log. Do not alter this field unless instructed 
by your Support representative. 
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Link: Syslog Parameters 

You can configure a UNIX-compatible syslog client to report a number of 
subsets of the events entered in the Gateway's WAN Event History. Syslog 
sends log-messages to a host that you specify. 

To enable syslog logging, click on the Syslog Parameters link. 




Check the Syslog checkbox. The screen expands. 



Syslog Parameters 



Syslog 

Syslog Host Name/IP Address 
Facility 

Log Violations 
Log Access Attempts 
Log Accepted Packets 



localQ 



© 



Submit 



• Syslog: Enable syslog logging in the system. 

• Syslog Host Name/IP Address: Enter the name or the IP Address of 
the host that should receive syslog messages. 
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• Facility: From the pull-down menu, select the Syslog facility to be used 
by the router when generating syslog messages. Options are localO 
through local 7. 

• Log Violations: If you check this checkbox, the Gateway will generate 
messages whenever a packet is discarded because it violates the 
router's security policy. 

• Log Access Attempts: If you check this checkbox, the Gateway will gen- 
erate messages whenever a packet attempts to access the router or 
tries to pass through the router. This option is disabled by default. 

• Log Accepted Packets: If you check this checkbox, the Gateway will 
generate messages whenever a packet accesses the router or passes 
through the router. This option is disabled by default. 

Syslog messages generated by the Gateway may display the following rea- 
sons: 



1 . permitted 


8. dropped - 


fragmented 


15. TCP SYN flood detected 




packet 






2. attempt 


9. dropped - 


cannot fragment 


16. Telnet receive DoS attack 








- packets dropped 


3. administrative access 


10. dropped 


- no route found 


17. administrative access 


authenticated and allowed 






denied - telnet access not 








allowed 


4. administrative access 


1 1 . dropped 


- possible land 


18. administrative access 


allowed 


attack 




denied - invalid user name 


5. dropped - violation of secu- 


12. dropped 


- reassembly 


19. administrative access 


rity policy 


timeout 




denied - invalid password 


6. dropped - invalid check- 


13. dropped 


- illegal size 


20. administrative access 


sum 






denied - web access not 








allowed 


7. dropped - invalid data 


14. dropped 


- invalid IP ver- 


21 . administrative access 


length 


sion 




attempted 
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Link: Internal Servers 

Your Gateway ships with an embedded Web server and support for a Telnet 
session, to allow ease of use for configuration and maintenance. The 
default ports of 80 for HTTP and 23 for Telnet may be reassigned. This is 
necessary if a pinhole is created to support applications using port 80 or 
23. See "Pinholes" on page 85. for more information on Pinhole configura- 
tion. 



Internal Servers 



Enter a value from 1 to 6S&34 



Web (HTTP) Server Port ao 



Telnet Server Port 

f Submit^ 



Web (HTTP) Server Port: To reassign the port number used to access the 
Cayman embedded Web server, change this value to a value greater than 
1024. When you next access the embedded Cayman Web server, append 
the IP address with <port number>, (e.g. Point your browser to http:// 
210.219.41.20:8080). 



Telnet Server Port: To reassign the port number used to access your Cay- 
man embedded Telnet server, change this value to a value greater than 
1024. When you next access the Cayman embedded Telnet server, append 
the IP address with <port number>, (e.g. telnet 210.219.41.20 2323). 

You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 
to access the web server and 192.168.1.x:2323 to access the telnet 
server. The value of 0 for an internal server port will disable that server. 
You can disable Telnet or Web, but not both. If you disabled both ports, you 
would not be able to reconfigure the unit without pressing the reset button. 
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Link: Software Hosting 

Software Hosting allows you to host internet applications when NAT is 
enabled. User(PC) specifies the machine on which the selected software is 
hosted. You can host different games and software on different PCs. 



Host Games and Software 



Select a User(PC) to Host Games and 
Software: 



192.168.1.1 



Rename a U serf PC), 
Click Here . 



For User (PC): 



Games I Software 

Select Games 



Age of Empires, v. 1.0 

Age of Empires: The Rise of Rome, v. 1.0 

Age of Wonders 

Baldur's Gate 

Battlefield Communicator 

CART Precision Racing, v 1.0 

Close Combat III: The Russian Front, v 1.0 

Close Combat for Windows 1.0 

Close Combat: A Bridge Too Far, v 2.0 

Combat Flight Sim 2: WWII Pacific Thr, v 1.0 

Combat Flight Sim: WWII Europe Series, v 1.1 

Diablo II Server 

Half Life 

Hellbender for Windows., v 1.0 
Heretic II 



No server selected 



Enabled Games and Software 



I Add software to tin is User(PC) 



Add >> 



<. < Remove 



To select the games or software that you want to host for a specific PC, 
highlight the name(s) in the box on the left side of the screen. Click the Add 
button to select the software that will be hosted. 

To remove a game or software from the hosted list, highlight the game or 
software you want to remove and click the Remove button. 
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List of Supported Games and Software 



Age of Empires, v.1 .0 
Baldur's Gate 

Close Combat for Windows 
1.0 

Combat Flight Sim: WWII 
Europe Series, v 1 .0 

FTP 
Half Life 

HTTP 

Lime Wire 

Mech Warrior 4: Vengeance 

Microsoft Flight Simulator 
2000 

Microsoft Golf 2001 Edition 

Monster Truck Madness 2, v 
2.0 

PPTP 

SMTP 

StarLancer, v 1 .0 
Total Annihilation 
Urban Assault, v 1 .0 



Age of Empires: The Rise of 
Rome, v.1 .0 

Battlefield Communicator 

Close Combat: A Bridge Too 
Far, v 2.0 

Combat Flight Sim 2: WWII 
Pacific Thr, v 1 .0 

GNUtella 

Hellbender for Windows, v 
1.0 

IPSec 

Links LS 2000 

Medal of Honor Allied 
Assault 

Microsoft Golf 1998 Edition, 
v 1.0 

Midtown Madness, v 1 .0 

pcAnywhere (incoming) 

Quake II 
SSH server 
Telnet 
TFTP 

Win2000 Terminal Server 



Age of Wonders 

CART Precision Racing, v 
1.0 

Close Combat III: The Rus- 
sian Front, v 1 .0 

Diablo II Server 

H. 323 compliant (Netmeet- 
ing, CUSeeME) 

Heretic II 

Jedi Knight II: Jedi Outcast 

Mech Warrior 3 

Microsoft Flight Simulator 98 

Microsoft Golf 1999 Edition 

Monster Truck Madness, v 

I. 0 

POP-3 

Quake III 
StarCraft 
Timbuktu 

Unreal Tournament Server 



Rename a User(PC) 

If a PC on your LAN has no assigned host name, you can assign one by 
clicking the Rename a User(PC) link. 
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Rename an Existing User(PC) 






Select a User(PC) to rename: 


192.168.1.1 


A 
T 


Enter New Name: 








Update 







To rename a server, select the server from the pull-down menu. Then type a 
new name in the text box below the pull-down menu. Click the Update but- 
ton to save the new name. 



NOTE: 

The new name given to a server is only known to Software Host- 
ing. It is not used as an identifier in other network functions, 
such as DNS or DHCP. 



Link: Clear Options 

To restore the factory configuration of the Gateway, choose Clear Options. 
You may want to upload your configuration to a file before performing this 
function. You can do this using the upload command via the command-line 
interface. See the upload command on page 193. 

Clear Options does not clear feature keys or affect the software image. 

You must restart the Gateway for Clear Options to take effect. 



114 



Configure 



Clear Options 



Choosing the 'Clear Options' link below will restore the 
Gateway's factory configuration. You will be returned to the 
Restart Page because the Gateway must be restarted in order 
to complete the process. 



Clear Options 
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Button: Security 

The Security features are available by clicking on the Security toolbar but- 
ton. Some items of this category do not appear when you log on as User. 



netupia. 
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Link: Passwords 

Access to your Gateway may be controlled through two optional user 
accounts, Admin and User. When you first power up your Gateway, you cre- 
ate a password for the Admin account. The User account does not exist by 
default. As the Admin, a password for the User account can be entered or 
existing passwords changed. 

Create and Change Passwords. You can establish different levels of 
access security to protect your Cayman Gateway settings from unauthorized 
display or modification. 

• Admin level privileges let you display and modify all settings in the Cay- 
man Gateway (Read/Write mode). The Admin level password is created 
when you first access your Gateway. 

• User level privileges let you display (but not change) settings of the Cay- 
man Gateway. (Read Only mode) 

To prevent anyone from observing the password you enter, characters in the 
old and new password fields are not displayed as you type them. 
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To display the Passwords window, click the Security toolbar button on the 
Home page. 



About Passwords 



Access to your Gateway is controlled through two user accounts, Admin and User. 
Admin: Full access to the Gateway 

y ser Not aSlowed to configure any parameters. Install keys /software, or restart the 
Gateway 

Use the fields below to change or create password s. 



Passwords 



Username ' Admin 1*^ 

Old Password 
New Password 



(Leave blank if no old password) 



Confirm Password 



1 



Password changes are automatically saved, 
and take effect immediately. 

^Submit^ 



Use the following procedure to change existing passwords or add the User 
password for your Cayman Gateway: 

1. Select the password type from the Password Level puil-down list. 
Choose from Admin or User. 

2. If you assigned a password to the Cayman Gateway previously, enter 
your current password in the Old Password field. 

3. Enter your new password in the New Password field. 

Cayman's rules for a Password are: 

• It can have up to eight alphanumeric characters. 

• It is case-sensitive. 
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4. Enter your new password again in the Confirm Password field. 

You confirm the new password to verify that you entered it correctly the 
first time. 

5. When you are finished, click the Submit button to store your modified 
configuration in the Cayman unit's memory. 

Password changes are automatically saved, and take effect immediately. 



Link: Firewall 

Use a Cayman Firewall 

BreakWater Basic Firewall. Breakwater delivers an easily selectable set 
of pre-configured firewall protection levels. For simple implementation these 
settings (comprised of three levels) are readily available through Cayman's 
embedded web server interface. 

BreakWater Basic Firewall's three settings are: 

• ClearSailing 

ClearSailing, Breakwater's default setting, supports both inbound and 
outbound traffic. It is the only basic firewall setting that fully interoper- 
ates with all other Cayman software features. 

• SilentRunning 

Using this level of firewall protection allows transmission of outbound 
traffic on pre-configured TCP/UDP ports. It disables any attempt for 
inbound traffic to identify the Gateway. This is the Internet equivalent of 
having an unlisted number. 

• LANd Locked 

The third option available turns off all inbound and outbound traffic, iso- 
lating the LAN and disabling all WAN traffic. 
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NOTE: 



Breakwater Basic Firewall operates independent of the NAT func- 
tionality on the Gateway. 

Configuring for a BreakWater Setting 

Use these steps to establish a firewall setting: 

1. Ensure that you have enabled the BreakWater basic firewall with the 
appropriate feature key. 

See See "Use Cayman Software Feature Keys" on page 149. for refer- 
ence. 

2. Click the Security toolbar button. 

3. Click Firewall . 





BreakWater Firewall 


ClearSailing 


Removes the traffic restrictions imposed by SilentRunning and LANdlocked. Protection 


against unwanted inbound traffic is controlled by NAT settings. 




Note: The ClearSailing firewall setting is necessary to enable pinholes, IPMaps and a 




NAT default server. 


SilentRunning 


Using this level of firewall protection allows secure transmission of outbound traffic, but 


disables any attempt for inbound traffic to identify the Gateway. This is the Internet 




equivalent of having an unlisted number. 




Note: The SilentRunning firewall setting disables pinholes, IPMaps and a NAT default 




server. 


LANdLocked 


This option turns off all inbound and outbound traffic (including pinholes and IPMaps), 


isolating the U\N and disabling all WAN traffic. 


BreakWater Option 


P ClearSailing C SilentRunning C u\NdLocked 


BreakWater changes are automatically saved, and take effect immediately. 




Submit | 
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4. Click on the radio button to select the protection level you want. Click 
Submit . 

Changing the Breakwater setting does not require a restart to take 
effect. This makes it easy to change the setting "on the fly," as your 
needs change. 



TIPS for making your Breakwater Basic Firewall Selection 



Application 


Select this Level 


Other Considerations 


Typical Internet usage 
(browsing, e-mail) 


SilentRunning 




Multi-player online 
gaming 


ClearSailing 


Set Pinholes; once defined, pinholes will be 
active whenever ClearSailing is set. 
Restore SilentRunning when finished. 


Going on vacation 


LANdLocked 


Protects your connection while your away. 


Finished online use tor 
the day 


LANdLocked 


This protects you instead ot disconnecting your 
Gateway connection. 


Chatting online or using 
instant messaging 


ClearSailing 


Set Pinholes; once defined, pinholes will be 
active whenever ClearSailing is set. 
Restore SilentRunning when finished. 



Basic Firewall Background 

As a device on the Internet, a Cayman Gateway requires an IP address in 
order to send or receive traffic. 

The IP traffic sent or received have an associated application port which is 
dependent on the nature of the connection request. In the IP protocol stan- 
dard the following session types are common applications: 

• ICMP • HTTP • FTP 

• SNMP • telnet • DHCP 

By receiving a response to a scan from a port or series of ports (which is 
the expected behavior according to the IP standard), hackers can identify an 
existing device and gain a potential opening for access to an internet-con- 
nected device. 
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To protect LAN users and their network from these types of attacks, Break- 
Water offers three levels of increasing protection. 

The following tables indicate the state of ports associated with session 
types, both on the WAN side and the LAN side of the Gateway. 

This table shows how inbound traffic is treated. Inbound means the traffic 
is coming from the WAN into the WAN side of the Gateway. 



Gateway: WAN Side 





Breakwater Setting » 


ClearSailing 


SilentRunning 


LANdLocked 












20 


ftp data 


Enabled 


Disabled 


Disabled 


21 


ftp control 


Enabled 


Disabled 


Disabled 


23 


telnet external 


Enabled 


Disabled 


Disabled 


23 


telnet Cayman server 


Enabled 


Disabled 


Disabled 


80 


http external 


Enabled 


Disabled 


Disabled 


80 


http Cayman server 


Enabled 


Disabled 


Disabled 


67 


DHCP client 


Enabled 


Enabled 


Disabled 


68 


DHCP server 


Not Applicable 


Not Applicable 


Not Applicable 


161 


snmp 


Enabled 


Disabled 


Disabled 




ping (ICMP) 


Enabled 


Disabled 


Disabled 


This table shows how outbound traffic is treated. Outbound means the traf- 
fic is coming from the LAN-side computers into the LAN side of the Gateway. 


Gateway: LAN Side 










Breakwater Setting » 


ClearSailing 


SilentRunning 


LANdLocked 






















"20 


ftp data 


Enabled 


Enabled 


Disabled 


21 


ftp control 


Enabled 


Enabled 


Disabled 


23 


telnet external 


Enabled 


Enabled 


Disabled 


23 


telnet Cayman server 


Enabled 


Enabled 


Enabled 


80 


http external 


Enabled 


Enabled 


Disabled 


80 


http Cayman server 


Enabled 


Enabled 


Enabled 
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67 


DHCP client 


Not Applicable 


Not Applicable 


Not Applicable 


68 


DHCP server 


Enabled 


Enabled 


Enabled 


161 


snmp 


Enabled 


Enabled 


Enabled 




ping (ICMP) 


Enabled 


Enabled 


WAN - Disabled 
LAN - 

Local Address 
Only 




NOTE: 



The Gateway's WAN DHCP client port in SilentRunning mode is 
enabled. This feature allows end users to continue using DHCP- 
served IP addresses from their Service Providers, while having 
no identifiable presence on the Internet. 
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Link: IPSec 



Your Gateway supports two mechanisms for IPSec tunnels: 

1. IPSec PassThrough supports Virtual Private Network (VPN) clients run- 
ning on LAN-connected computers. Normally, this feature is enabled. How- 
ever, you can disable it if your LAN-side VPN client includes its own NAT 
interoperability option. 

2. SafeHarbour VPN IPSec is a keyed feature that you must purchase. It 
enables Gateway-terminated VPN support. 



Two separate mechanisms for IPSec 
tunnel support are provided by your 
Gateway: 

■ IPSec PassThrough supports VPN 
clients running on LAN-connected 
computers. Disable this checkbox If 
your LAN-side VPN client includes its 
own NAT interoperability solution. 

■ SafeHarbour is a keyed feature that 
enables Gateway-terminated VPN 
support. 



r 




Enable IPSec PassThrough \x\ 




Enable SafeHarbour IPSec □ 




L 



J 
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How to Configure a SafeHarbour VPN 

VPN IPSec Tunnel at the Gateway. SafeHarbour VPN IPSec Tunnel pro- 
vides a single, encrypted tunnel to be terminated on the Gateway, making 
a secure tunnel available for all LAN- connected Users. This implementation 
offers the following: 

• Eliminates the need for VPN client software on individual PCs. 

• Reduces the complexity of tunnel configuration. 

• Simplifies the ongoing maintenance for secure remote access. 



A typical SafeHarbour configuration is shown below: 




at Standards-based Gateway at Cayman Gateway 

SafeHarbour VPN IPSec Tunnel Termination 

Use these Best Practices in establishing your SafeHarbour tunnel. 

1. Ensure that the configuration information is complete and accurate 

2. Use the Worksheet provided on page 128. 
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DH Group 



Enable 

Encrypt Protocol 
Hard MBytes 



Parameter Description and Setup. The following table describes SafeHar- 
bour's parameters that are used for an IPSec VPN tunnel configuration: 

Auth Protocol Authentication Protocol for IP packet header. The three parameter 

values are None, Encapsulating Security Payload (ESP) and Authen- 
tication Header (AH) 

Diffie-Hellman is a public key algorithm used between two systems to 
determine and deliver secret keys used for encryption. Groups 1 , 2 
and 5 are supported. 

This toggle button is used to enable/disable the configured tunnel. 
Encryption protocol for the tunnel session. 

Parameter values supported include NONE or ESP. 
Setting the Hard MBytes parameter forces the renegotiation of the 
IPSec Security Associations (SAs) at the configured Hard MByte 
value. 

The value can be configured between 1 and 1 ,000,000 MB and refers 
to data traffic passed. 

Setting the Hard Seconds parameter forces the renegotiation of the 
IPSec Security Associations (SAs) at the configured Hard Seconds 
value. The value can be configured between 60 and 1 ,000,000 sec- 
onds 

The Key Management algorithm manages the exchange of security 
keys in the IPSec protocol architecture. SafeHarbour supports the 
standard Internet Key Exchange (IKE) 

The Peer External IP Address is the public, or routable IP address of 
the remote gateway or VPN server you are establishing the tunnel 
with. 

The Peer Internal IP Network is the private, or Local Area Network 
(LAN) address of the remote gateway or VPN Server you are commu- 
nicating with. 

The Peer Internal IP Netmask is the subnet mask of the Peer Internal 
IP Network. 

Perfect Forward Secrecy (PFS) is used during SA renegotiation. 
When PFS is selected, a Diffie-Hellman key exchange is required. If 
enabled, the PFS DH group follows the IKE phase 1 DH group. 
The Pre-Shared Key is a parameter used for authenticating each 
side. The value can be an ASCII or Hex and a maximum of 64 charac- 
ters. ASCII is case-sensitive. 

The Pre-Shared Key Type classifies the Pre-Shared Key. SafeHarbour 
supports ASCII or HEX types 



Hard Seconds 



Key Management 



Peer External IP 
Address 

Peer Internal IP 
Network 

Peer Internal IP 
Netmask 
PFS Enable 



Pre-Shared Key 



Pre-Shared Key 
Type 



126 



Security 



Name 



Negotiation 
Method 



SA Encrypt Type 
SA Hash Type 
Soft MBytes 

Soft Seconds 



The Name parameter refers to the name of the configured tunnel. 
This is mainly used as an identifier for the administrator. The Name 
parameter is an ASCII value and is limited to 31 characters. The tun- 
nel name is the only IPSec parameter that does not need to match 
the peer gateway. 

This parameter refers to the method used during the Phase I key 
exchange, or IKE process. SafeHarbour supports Main or Aggressive 
Mode. Main mode requires 3 two-way message exchanges while 
Aggressive mode only requires 3 total message exchanges. 
SA Encryption Type refers to the symmetric encryption type. This 
encryption algorithm will be used to encrypt each data packet. SA 

Encryption Type values supported include DES and 3DES. 
SA Hash Type refers to the Authentication Hash algorithm used dur- 
ing SA negotiation. Values supported include MD5 and SHA1 . N/A 
will display if NONE is chosen for Auth Protocol. 
Setting the Soft MBytes parameter forces the renegotiation of the 
IPSec Security Associations (SAs) at the configured Soft MByte 
value. The value can be configured between 1 and 1 ,000,000 MB and 
refers to data traffic passed. If this value is not achieved, the Hard 
MBytes parameter is enforced. 

Setting the Soft Seconds parameter forces the renegotiation of the 
IPSec Security Associations (SAs) at the configured Soft Seconds 
value. The value can be configured between 60 and 1 ,000,000 sec- 
onds. 
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IPSec Tunnel Parameter Setup Worksheet. 



Parameter 


Cayman 




Name 






Peer External IP Address 






Peer Internal IP Network 






Peer Internal IP Netmask 






Enable 






Encrypt Protocol 


None 




ESP 


Auth Protocol 


None 




ESP 




AH 




Key Management 


IKE 




Pre-Shared Key Type 


HEX 




ASCTT 


Pre-Shared Key 






Negotiation Method 


Main 




Aggressive 


DH Group 


1 




2 




5 




SA Encrypt Type 


DES 




3DES 




SA Hash Type 


N/A 




MD5 




SHA1 


PFS Enable 


Off 




On 


Soft MBytes 


1 - 1000000 




Soft Seconds 


60 - 1000000 




Hard MBytes 


1 - 1000000 




Hard Seconds 


60-1000000 





SafeHarbour Tunnel Setup. Use the following tasks to configure an IPSec 
VPN tunnel on your Cayman Gateway. 
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Task 1 : Ensure that you have SafeHarbour VPN enabled. 

SafeHarbour is a keyed feature. See page 149 for information concerning 
installing Cayman Software Feature Keys. 

Task2: Complete Parameter Setup Worksheet 

IPSec tunnel configuration requires precise parameter set between VPN 
devices. The Setup Worksheet facilitates setup and assures that the asso- 
ciated variables are identical. 

Task 3: Enable IPSec 

IPSec must be enabled on your Gateway to allow further VPN configuration. 
Perform the following steps to enable IPSec: 

1. Browse to Gateway. 

2. Click the Security toolbar button. 

3. Click the IPSec link. 

4. Check the Enable SafeHarbour IPSec checkbox. 

Checking this box will automatically display the SafeHarbour IPSec 
Tunnel Entry parameters. 
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Two separate mechanisms for IPSec tunnel support 
are provided by your Gateway: 

• IPSec PassThrough supports VPN clients running 
on LAN-connected computers. Disable this 
checkbox if your LAN-side VPN client includes its 
own NAT interoperability solution. 

• SafeHarbour is a keyed feature that enables 
Gateway -terminated VPN support. 



IPSec PassThrough 



Enable IPSec Pa ssTTi rough p 



SafeHarbour IPSec 



Enable SafeHarbour IPSec P 
Submit 



SafeHarbour IPSec Tunnel Entry 


On 


Name 


Peer External IP Encryption Authentication 
Address Protocol Protocol 


Key 
Management 


P 




0.0.0.0 ESP _J | ESP *| 


IKE z\ Add | 



Task 4: Make the IPSec Tunnel Entries 



Enter the initial group of tunnel parameters. Refer to your Setup Work- 
sheet and the Glossary of VPN Terms as required. Perform the following 
steps: 

1. Enter tunnel Name. 



This is the only parameter that does not have to be identical to 
the peer/remote VPN device 

2. Enter the Peer External IP Address . 

3. Select Encryption Protocol from the pull-down menu. 
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4. Select Authentication Protocol from the pull-down menu. 

5. Ensure that the toggle checkbox Enable , which is On by default, remains 
On. 

6. Click Add . 

The Tunnel Details page appears. 



Tunnel Details 


Name telework 


Peer Internal Network 


0.0.0.0 


Peer Internal Netmask 


255.255.255.0 


Negotiation Method 


Main 


Pre-Shared Key Type 


ASCII J 


Pre-Shared Key 




DH Group 


Id 


PFS Enable 


r 


SA Encrypt Type 


DES jj 


SA Hash Type 


MD5 jj 


Soft MBytes 


1000 


Soft Seconds 


S2S00 


Hard MBytes 


1200 


Hard Seconds 


86400 




Update | Delete | 



Task 5: Make the Tunnel Details entries 

Use the following steps: 
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1. Enter or select the required settings. 

2. Click Update . The Alert button appears. 

3. Click the Alert button. 

4. Click Save and Restart . 

Your SafeHarbour IPSec VPN tunnel is fully configured. 

Tunnel sessions can only be initiated from the LAN client side. 
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Link: Stateful Inspection 

All computer operating systems are vulnerable to attack from outside 
sources, typically at the operating system or Internet Protocol (IP) layers. 
Stateful Inspection firewalls intercept and analyze incoming data packets to 
determine whether they should be admitted to your private LAN, based on 
multiple criteria, or blocked. Stateful inspection improves security by track- 
ing data packets over a period of time, examining incoming and outgoing 
packets. Outgoing packets that request specific types of incoming packets 
are tracked; only those incoming packets constituting a proper response 
are allowed through the firewall. 

Stateful inspection is a security feature that prevents unsolicited inbound 
access when NAT is disabled. You can configure UDP and TCP "no-activity" 
periods that will also apply to NAT time-outs if stateful inspection is enabled 
on the interface. Stateful Inspection parameters are active on a WAN inter- 
face only if enabled on your Gateway. Stateful inspection can be enabled on 
a profile whether NAT is enabled or not. 

Stateful Inspection Firewall installation procedure 



NOTE: 

Installing Stateful Inspection Firewall is mandatory to comply with 

Required Services Security Policy - Residential Category module - 

Version 4.0 (specified by ICSA Labs) 

For more information please go to the following URL: 

http://wwwJcsalabs.com/html/communities/firewalls/certification/ 

criteria/Residential.pdf . 

1. Access the router through the web interface from the private LAN. 

DHCP server is enabled on the LAN by default. 

2. The Gateway's Stateful Inspection feature must be enabled in order to 
prevent TCP, UDP and ICMP packets destined for the router or the private 
hosts. 
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This can be done by navigating to Expert Mode -> Security -> Stateful 
Inspection. 

r — — — — — — — — — — — — — — — — — — — — — — — — — — n 



No-act I vity Time -outs 



Enter a value from 30 to 65535 [seconds) 
UDP no-activity time-out ISO 

TCP no-activity time-out 14400 
' Submit^! 



Exposed Addresses 



Exposed addresses Configure Exposed Addresses [Active only if NAT is disabled) 



Stateful Inspection Options 



PPP over Configure stateful inspection options 

Ethernet vccl for this interface 

L J 

• UDP no-activity time-out: The time in seconds after which a UDP ses- 
sion will be terminated, if there is no traffic on the session. 

• TCP no-activity time-out: The time in seconds after which an TCP ses- 
sion will be terminated, if there is no traffic on the session. 

• Exposed Addresses: The hosts specified in Exposed Addresses will be 
allowed to receive inbound traffic even if there is no corresponding out- 
bound traffic. This is active only if NAT is disabled on an WAN interface. 

• Stateful Inspection Options: Enable and configure stateful inspection 
on a WAN interface. 
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Exposed Addresses 

You can specify the IP addresses you want to expose by clicking the 
Exposed addresses link. 



r — — — — — — — — — — — — — — — i 



Exposed Addreses 


No exposed address 


en \t riez 
Add 


; have been defined 



U — — — — — — — — — — — — — — — J 



Add, Edit, or delete exposed addresses options are active only if NAT is dis- 
abled on a WAN interface. The hosts specified in exposed addresses will be 
allowed to receive inbound traffic even if there is no corresponding out- 
bound traffic. 



Exposed Address Entry #1 



Start Address 
End Address 
Protocol 



0.0.0.0 



0.0.0.0 



Any 



Submit 



Start Address: Start IP Address of the exposed host range. 

End Address: End IP Address of the exposed host range 

Protocol: Select the Protocol of the traffic to be allowed to the host 
range from the pull-down menu. Options are Any, TCP, UDP, or TCP/UDP. 
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Exposed Address Entry #1 



Start Address 
End Address 
Protocol 

Start Port (1-65S3S) 
End Port (1-65535} 



192.163.1.10 



192. 16S. 1.12 



Ttp/Udp 



SubmiE 



Ace rr'iore Exposed Addresses 



• Start Port: Start port of the range to be allowed to the host range. The 
acceptable range is from 1 - 65535 

• End Port: Protocol of the traffic to be allowed to the host range. The 
acceptable range is from 1 - 65535 

You can add more exposed addresses by clicking the Add more Exposed 
Addresses link. A list of previously configured exposed addresses appears. 



Exposed Addreses 



#1 Start-Address- 192. 168. 1.10 Erttf-Address-192. 168. 1.12 TCP/UDP Start-Port- 1 End-Port-1 



Add Edit Delete 



Click the Add button to add a new range of exposed addresses. 

You can edit a previously configured range by clicking the Edit button, or 
delete the entry entirely by clicking the Delete button. 



All configuration changes will trigger the Alert Icon, 
icon. 



Click on the Alert 
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This allows you to validate the configuration and reboot the Gateway. 



Configure Troubleshoot Security Install 



Home Configure Save Changes 

netwpia. 



Quieksta 
LAN 
WAN 
Advanc 



Changes have been made to the Gateway database. You must save the changes 
and restart the Gateway in order For the changes to take effect. 



Save Database 


Save 


Apply changes made to the database 


Save and Restart Aoolv changes and restart Gatewav 


Check Database 


Review 


Review the contents of the database 


Validate 


Validate edited database 


Revert Database 


Revert 


Restore to settings before edits 


Coafig Mode vl 


2 


validation 


passed L 


©2003 Netopia, Inc. 



Click the Save and Restart link. You will be asked to confirm your choice, 
and the Gateway will reboot with the new configuration. 
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Stateful Inspection Options 

Stateful Inspection Parameters are active on a WAN interface only if you 
enable them on your Gateway. 



r ~ — — — — — — — — — — — — — — — — n 



PPP over Ethernet vccl 


Stateful Inspection 




11 


Default Mapping to Router 


m 


TCP Sequence Number Difference 0 


Deny Fragments 




m 




Submit 





L J 



• Stateful Inspection: To enable stateful inspection on this WAN inter- 
face, check the checkbox. 

• Default Mapping to Router: This is disabled by default. This option will 
allow the router to respond to traffic received on this interface, for exam- 
ple, ICMP Echo requests. 

• TCP Sequence Number Difference: Enter a value in this field. This 
value represents the maximum sequence number difference allowed 
between subsequent TCP packets. If this number is exceeded, the 
packet is dropped. The acceptable range is 0 - 65535. A value of 0 
(zero) disables this check. 

• Deny Fragments: To enable this option, which causes the router to dis- 
card fragmented packets on this interface, check the checkbox. 
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Open Ports in Default Stateful Inspection Installation 



Port 


Protocol 


Description 


LAN (Private) 
Interface 


WAN (Public) 
Interface 


23 


TCP 


telnet 


Yes 


No 


53 


UDP 


DNS 


Yes 


No 


67 


UDP 


Bootps 


Yes 


No 


68 


UDP 


Bootpc 


Yes 


No 


80 


TCP 


HTTP 


Yes 


No 


137 


UDP 


Netbios-ns 


Yes 


No 


138 


UDP 


Netbios-dgm 


Yes 


No 


161 


UDP 


SNMP 


Yes 


No 


500 


UDP 


ISAKMP 


Yes 


No 


520 


UDP 


Router 


Yes 


No 



Log Event Dispositions 



NOTE: 

Syslog needs to be enabled to comply with logging requirements 

mentioned in The Modular Firewall Certification Criteria - Baseline 

Module - version 4.0 (specified by ICSA Labs). 

See "Syslog Parameters" on page 109. 

For more information, please go to the following URL: 

http://wwwJcsalabs.com/html/communities/firewalls/certification/ 

criteria/Baseline.pdf 
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Link: Security Log 



Security Monitoring is a keyed feature. See page 149 for information con- 
cerning installing Cayman Software Feature Keys. 

Security Monitoring detects security-related events, including common 
types of malicious attacks, and writes them to the security log file. 



Security Monitor Log 



Show Reset 



Using the Security Monitoring Log 

You can view the Security Log at any time. Use the following steps: 

1. Click the Security toolbar button. 

2. Click the Security Log link. 

3. Click the Show link from the Security Log tool bar. 

4. An example of the Security Log is shown on the next page. 

5. When a new security event is detected, you will see the Alert button. 
The Security Alert remains until you view the information. Clicking the 
Alert button will take you directly to a page showing the log. 
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Security 
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Pl<ise refer to your customer documentation for a description of the Logged event. 



MtmtirT n* fl^fiuritv lng rnr.nr.i 

SSeturltp 4 left tjp; 
Protocol type 
IF flfnir^p rtfMrpnfi 
TLroe at lost atteji*jjl 
Hmrfcier ol porta that ucce ac 
Highest port 
LnuMT. pnrr. 

ilOi LiDB 1(194 1033 iiSS ll:" 115; 31-': 11C4 



i i- 1 •Scan 
TCI 

H! . 13 7. 137, 1% 

Tti lay 04 15: 17:40 3 DDI CVTCJ 

y 

IC1<P<1 



Security alert tvpe 

" r : ii I rr m Jell 

IP uea L 1 uaV iu i: adiiieaa 
hurrbei d£ attempts 
7 iwe -at last act ewpt 

ScuiuiLy nleiL Lyye 
Protocol type 
ir flmir<rr adclrrin 

Tinr ell. Innl. ell. t rjugil. 
Mujrtjei l-I pui La tuet vfic BuavanriJI 
Higheat port 
Lnurflt pnrr. 

Ill 4U HI •«] (IT 1444 BBS )N SSOJ 1«70 
HKuly l- hp InaL 1U julU aie teuuiiied.) 



iKeessive Picas 

: : 7.137. : 
14). 137. 199. B 

Jrl Hay Q1 1-J:sj:22 2 DO 1 CUT-.:) 
Hut I • * II. 

tch 

iu. 13-7-so.a 

Trl Hiiy HI 17:SJ:3? EnniJinV) 

in 

7 3 



RpRUTlny ali-rr ryrii- ! ff 

Kstotol in» : imp 

If aautce addteir- : 141. 11 7.10.1 

Inoe -at last attcjrpt : Jn Hay 0-fl 17: 

Mimtirr at pnrt.i ehnT. wrp araubpiI! 1C2 

HjuSimL pun- ; 523 6 

Loveat pert : 1 

fS> 1 l*7i 444 41)3 flu KH *» 

^ftily rhr fir.ir :n pnrr* nrr rr -nrdrel . ) 



;i : ^ 3 S DO 1 [UTC) 



-70 119Z 



Setlitlt? alert type 
IP aoiitce address 
IP (Ip.i r i nar. i nn ailrirr^a 
Hujltjet L-l flUOTp'.l 
I ij&e at lut at t eif«?t 
llleg-al paeJeet a l :e 



Illegal Jacket Line jfiin ol Death) 

19i.lS0.1.5 

11J3. 137. lit. B 

5 

rtl Hay 0-5 IS:D£:7S iO0l[1lTJCj 

6 571C 



The capacity of the security log is 100 security alert messages. When the 
log reaches capacity, subsequent messages are not captured, but they are 
noted in the log entry count. 
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To reset this log, select Reset from the Security Monitor tool bar. 



The following message is displayed. 



r — — — — — — — — — — — — — — i 

| The security log has been reset. | 

L J 



When the Security Log contains no entries, this is the response: 



r — — — — — — — — — — — n 

| The security log is empty. 

L J 



Timestamp Background 

During bootup, to provide better log information and to support improved 
troubleshooting, a Cayman Gateway acquires the National Institute of Stan- 
dards and Technology (NIST) Universal Coordinated Time (UTC) reference 
signal, and then adjusts it for your local time zone. 

Once per hour, the Gateway attempts to re-acquire the NIST reference, for 
re-synchronization or initial acquisition of the UTC information. Once 
acquired, all subsequent log entries display this date and time information. 
UTC provides the equivalent of Greenwich Mean Time (GMT) information. 

If the WAN connection is not enabled (or NTP has been disabled), the inter- 
nal clocking function of the Gateway provides log timestamps based on 
"uptime" of the unit. 
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Install 



Install 



Button: Install 

From the Install toolbar button you can Install new Operating System Soft- 
ware and Feature Keys as updates become available. 



The descriptions below provide information on the links displayed on the left of the 
screen. 


Install Key 


Installation pagE for software keys. ThesE allow additional fEaturES to run 
on thE GatEwav. A list Of features availablE for thE Gatsway can de 
viEWEd from thE SystEm Status pagE. 


Install 
Software 


Installation pagE for upgrading thE opErating system software. 
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Link: Install Software 



(This link is not available on the 3342/3352 models, since firmware 
updates must be upgraded via the USB host driver.) 

This page allows you to install an updated release of the Cayman Operating 
System (CaymanOS). 



Install Operating System Software 



Browse your computer to find the system software file, 
or type in the full path and filename. 
Next, to install the file on your Gateway, click the 
'Install Software' button. 

The latest releases are available online at Netopia's 

website: www.netopia.com . 

The install may take a few minutes. After the install has 
completed, restart your Gateway to run the new 
software. 



Browse. 



Install Software 



Updating Your Gateway's CaymanOS Version. You install a new operat- 
ing system image in your unit from the Install Operating System Software 
page. For this process, the computer you are using to connect to the Cay- 
man Gateway must be on the same local area network as the Cayman Gate- 
way. 
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Install 



Required Tasks 

• "Task 1: Required Files" on page 145 

• "Task 2: CaymanOS Image File" on page 145 

Task 1 : Required Files 

Upgrading the CaymanOS requires a Cayman Operating System image file. 
Background 

Software upgrade image files are posted periodically on the Netopia web- 
site. You can download the latest operating system software for your Gate- 
way from the following URL: 

http://www.netopia.com/en-us/equipment/purchase/fmw_update.html 

When you download your operating system upgrade from the Netopia web- 
site, be sure to download the latest release notes or User Guide PDF files. 
These are posted on the same Web page as the software. 

Confirm CaymanOS Image Files 

The CaymanOS Image file is specific to the model and the product identifica- 
tion (PID) number. 

1. Confirm that you have received the appropriate CaymanOS Image file. 

2. Save the CaymanOS image file to a convenient location on your PC. 

Task 2: CaymanOS Image File 
Install the CaymanOS Image 

To install the CaymanOS software in your Cayman Gateway from the Home 
Page use the following steps: 
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Open a web connection to your Cayman Gateway from the computer on 
your LAN. 

Click the Install Software button on the Cayman Gateway Home page. 

The Install New Cayman Software window opens. 

Enter the filename into the text box by using one of these techniques: 

The CaymanOS file name begins with a shortened form of the version 
number and ends with the suffix ".bin" (for "binary"). Example: n720.bin 

a. Click the Browse button, select the file you want, and click Open, 
-or- 

b. Enter the name and path of the software image you want to install in 
the text field and click Open . 

Click the Install Software button. 

The Cayman Gateway copies the image file from your computer and 
installs it into its memory storage. You see a progress bar appear on 
your screen as the image is copied and installed. 

r~ — — — — — — — — — — — — — — — — — n 
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Install Sc^rt 



L _ _________________ J 

When the image has been installed, a success message displays. 



Install 



File Installation Success 



The file installation was successful. You must restart your Gateway in order for 
the changes to take effect 



Netopia, he. 



L________ ________J 

5. When the success message appears, click the Restart button and confirm 
the Restart when you are prompted. 

Your Cayman Gateway restarts with its new image. 
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Verify the CaymanOS Release 

To verify that the CaymanOS image has loaded successfully, use the follow- 
ing steps: 

1. Open a web connection to your Cayman Gateway from the computer on 
your LAN and return to the Home page. 

2. Verify your CaymanOS Software Release, as shown on the Home Page. 
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This completes the upgrade process. 
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Install 



Link: Install Keys 

You can obtain advanced product functionality by employing a software Fea- 
ture Key. Software feature keys are specific to a Gateway's serial number. 
Once the feature key is installed and the Gateway is restarted, the new fea- 
ture's functionality becomes enabled. 

Use Cayman Software Feature Keys 

Cayman Gateway users obtain advanced product functionality by installing a 
software feature key. This concept utilizes a specially constructed and dis- 
tributed keycode (referred to as a feature key) to enable additional capabil- 
ity within the unit. 

Software feature key properties are specific to a unit's serial number; they 
will not be accepted on a platform with another serial number. 

Once installed, and the Gateway restarted, the new feature's functionality 
becomes available. This allows full access to configuration, operation, 
maintenance and administration of the new enhancement. 

Obtaining Software Feature Keys 

Contact Netopia or your Service Provider to acquire a Software Feature Key. 
Procedure - Install a New Feature Key File 

With the appropriate feature keycode, use the steps listed below to enable 
a new function. 

1. From the Home page, click the Install toolbar button. 

2. Click Install Keys 

The Install Key File page appears. 

3. Enter the feature keycode in the input Text Box. 

Type the full keycode in the Text Box. 
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Install Key 



You may be able to extend the features of your 
Gateway by purchasing an Upgrade Key. A list of 
upgrades is available online at www.netopia.com . To 
purchase an upgrade you must provide your serial 
number, which is: 10095016 



Type in the Upgrade Key exactly as given. It is case 
sensitive. 

After the install has completed, restart your Gateway to 
enable the new features. 



Upgrade Key | 






Install Key | 



L. J 



Click the Install Key button. 



File Installation Success 



The file installation was successful. You must restart your 
Gateway in order for the changes to take effect. 



L 



Click the Restart toolbar button. 

The Confirmation screen appears. 



j 



Install 



r — — — — — — — — — — — — — — — — — — — — — -I 



Restart Gateway 



Restarting the Gateway is needed to enable; 

* Changes to your Gateway database 
configuration 

* New feature keys 

* Operating System Software Upgrades 
When you restart: 



• All users will be disconnected 

• You will he returned to the Home page 

• The Gateway will not respond to your web 
requests. This inactivity may last for 
approximately 2 minutes. 



Restart the Gateway 



6. Click the Restart the Gateway link to confirm. 



To check your installed features: 

7. Click the Install toolbar button. 

8. Click the List of Features link. 

The System Status page appears with the information from the features 
link displayed below. You can check that the feature you just installed is 
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enabled. 



Select an option from the table below; 


General 


All Status Overview Features Memory 
Ethernet DSL 
Interfaces Routes ARP 


Ports 


IP 


DSL 


Statistics Circuit Configuration 


Bridge 


Interfaces Address Table 
Entire Paoe by Paoe Reset 
DHCP Client DHCP Server PPPoE 


System Log 


Other 



Available features : 
Feature 



Mode 



Expiration 



Notes 



security Monitoring Keyed None 

ATM vccs Keyed None 

PPPoE sessions Keyed None 

concurrent WAN users Keyed None 

Basic Firewall Disabled 

VPN Keyed None 
Enterprise class Upgrade Disabled 



Limit : 1 
Limit : 1 
Unlimited 
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chapter 4 Basic 

Troubleshooting 



This section gives some simple suggestions for troubleshooting 
problems with your Gateway's initial configuration. 

Before troubleshooting, make sure you have 

• read the Quickstart Guide; 

• plugged in all the necessary cables; and 

• set your PC's TCP/IP controls to obtain an IP address auto- 
matically. 
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Status Indicator Lights 



The first step in troubleshooting is to check the status indicator 
lights (LEDs) in the order outlined below. 

Cayman Gateway 3340 status indicator lights 

Ethernet Link: 

Solid green when connected 

Ethernet Traffic: 

Flashes green when there is 
activity on the LAN 
DSL Traffic: 

Blinks green when traffic is sent/received 
over the WAN 




3 ower: 

Solid green when the power is on 
PPPoE Active: 

Solid green when PPPoE is negotiated; 
otherwise, not lit 
DSL Sync: 

Blinking green with no line attached or training, 
solid green when trained with the DSL line. 
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Status Indicator Lights 



Cayman Gateway 3341 status indicator lights 

Ethernet Link: 

Solid green when connected 

Ethernet Traffic: 

Flashes green when there is 
activity on the LAN 

DSL Traffic: 

Blinks green when traffic is sent/received 
over the WAN 




3 ower: 

Solid green when the power is on 
USB Active: 

Solid green when USB is connected 
otherwise, not lit 
DSL Sync: 

Blinking green with no line attached or training, 
solid green when trained with the DSL line. 
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Cayman Gateway 3342 status indicator lights 
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Status Indicator Lights 



Cayman Gateway 3346 status indicator lights 




Power: 

Solid green when the power is on 
DSL Sync: 

Blinks green with no line attached or training, 
Solid green when trained with the DSL line 

LAN 1,2,3,4: 

Solid green when Ethernet link is established 
Blinks green when traffic is sent or received 
over the Ethernet 
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Cayman Gateway 3347W status indicator lights 



3347W Front View 




Power - Green when power is applied 
DSL SYNC - 

Flashes green when training 
Solid green when trained 
Flashes green for DSL traffic 

LAN 1,2, 3,4- 

Solid green when connected 
to each port on the LAN. 
Flash green when there is 
activity on each port. 

Wireless Link - Flashes green when there is 
activity on the wireless LAN. 



LED Function Summary Matrix 





Power 


USB 
Active 


DSL 

Sync 


DSL 
Traffic 


Ethernet 
Traffic 


Ethernet 
Link 


Unlit 


No 

power 


No signal 


No signal 


No signal 


No signal 


No signal 


Solid 
Green 


Power 
on 


USB port 
con- 
nected to 
PC 


DSL line 
synched 
with the 
DSLAM 


N/A 


N/A 


Synched 
with 

Ethernet 
card 


Flashing 
Green 


N/A 


Activity 
on the 
USB 
cable 


Attempt- 
ing to 
train with 
DSLAM 


Activity 
on the 
DSL 
cable 


Activity 
on the 
Ethernet 
cable 


N/A 
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Status Indicator Lights 



If a status indicator light does not look correct, look for these 
possible problems: 



LED 


State 


Possible problems 


Power 


Unlit 


1. Make sure the power switch is in the ON 
position. 

2. Make sure the power adapter is plugged 
into the 3300-series DSL Gateway properly. 

3. Try a known good wall outlet. 

4. Replace the power supply and/or unit. 


DSL 

Sync 


Unlit 


1. Make sure the you are using the correct 
cable. The DSL cable is the thinner stan- 
dard telephone cable. 

2. Ivldrvc bUIc lllc UOL OdUlc lb piUyytJU IlllU 

the correct wall jack. 

3. Make sure the DSL cable is plugged into 
the DSL port on the 3300-series DSL Gate- 
way. 

4. Make sure the DSL line has been activated 
at the central office DSLAM. 

5. Make sure the 3300-series DSL Gateway is 
not plugged into a micro filter. 
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EN Link 


Unlit 


Note: EN Link light is inactive if only using USB. 

1. Make sure the you are using the Ethernet 
cable, not the DSL cable. The Ethernet 
cable is thicker than the standard telephone 
cable. 

2. Make sure the Ethernet cable is securely 
plugged into the Ethernet jack on the PC. 

3. If plugging a 3300-series DSL Gateway into 
a hub the you may need to plug into an 
uplink port on the hub, or use an Ethernet 
cross over cable. 

4. Make sure the Ethernet cable is securely 
plugged into the Ethernet port on the 3300- 
series DSL Gateway. 

5. Try another Ethernet cable if you have one 
available. 


EN 
Traffic 


Unlit 


1. Make sure you have Ethernet drivers 
installed on the PC. 

2. Make sure the PC's TCP/IP Properties for 
the Ethernet Network Control Panel is set to 
obtain an IP address via DHCP. 

3. Make sure the PC has obtained an address 
in the 192.168.1.x range. (You may have 
changed the subnet addressing.) 

4. Make sure the PC is configured to access 
the Internet over a LAN. 

5. Disable any installed network devices 
(Ethernet, HomePNA, wireless) that are not 
being used to connect to the 3300-series 
DSL Gateway. 
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Status Indicator Lights 



USB 
Active 


Unlit 


Note: USB Active light is inactive if only using 
Ethernet. 

1. Make sure you have USB drivers installed 
on the PC. 

2. Make sure the PC's TCP/IP Properties for 
the USB Network Control Panel is set to 
obtain an IP address via DHCP. 

3. Make sure the PC has obtained an address 
in the 192.168.1.x range. (You may have 
changed the subnet addressing.) 

4. Make sure the PC is configured to access 
the Internet over a LAN. 

5. Disable any installed network devices 
(Ethernet, HomePNA, wireless) that are not 
being used to connect to the 3300-series 
DSL Gateway. 


DSL 
Traffic 


Unlit 


Launch a browser and try to browse the Internet. If 
the DSL Active light still does not flash, then pro- 
ceed to Advanced Troubleshooting below. 
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Factory Reset Switch 



Lose your password? This section shows how to reset the Cay- 
man Gateway so that you can access the configuration screens 
once again. (Except model 3342 USB-powered modem) 



NOTE: 

Keep in mind that all of your settings will need to be 
reconfigured. 



If you don't have a password, the only way to access the Cay- 
man Gateway is the following: 

1. Referring to the diagram below, find the round Reset Switch 
opening. 




3 

Ethernet 



4 

USB 




On /Off 



Factory Reset Switch: Push to clear all settings 



2. Carefully insert the point of a pen or an unwound paperclip 
into the opening. 

3. Press this switch very briefly. Don't hold it more than a sec- 
ond. 

4. This will reset the unit to factory defaults and you will now be 
able to reprogram the Cayman Gateway. 
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chapters Advanced 

Troubleshooting 



Advanced Troubleshooting can be accessed from the Gateway's Web Ul. 
Point your browser to http://192. 168. 1.254 . The main page displays the 
device status. (If this does not make the Web Ul appear, then do a release 
and renew in Windows networking to see what the Gateway address really 
is.) 
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Home Page 



The home page displays basic information about the Gateway. This includes 
the ISP Username, Connection Status, Device Address, Remote Gateway 
Address, DNS-1, and DNS-2. If you are not able to connect to the Internet, 
verify the following: 




Cayman 3341 Home Page 


Serial Number 


10095 016 s ° ft "*'* 
Release 


7.3.0 


Warranty Date 


04/' 05/ 2 003 




Status of DSL 


I'-'P ^^^^M 








Local WAN IP Address 


143 137 199 3 Primary DNS 


143.137.50.10 


Remote Gateway 
Address 


63.15.125.12 Secondary DNS 


143.137.137.9 


ISP UserName 


dsingh 




Ethernet Status 


Up USB Status 


Down 



<S 2002 Ate top A3, Inc. 



Item 

Local WAN IP 
Address 

Remote Gateway 
Address 



Description 

This is the negotiated address of the Gateway's WAN interface. 
This address is usually dynamically assigned. 

This is the negotiated address of the remote router to which 
this Gateway is connected. 
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Item 



Description 



Status of Connec- 
tion 



ISP Username 
Device Address 



Device Gateway 



Primary DNS/ 
Secondary DNS 



Serial Number 
Ethernet Status 

USB Status 



'Waiting for DSL is displayed while the Gateway is training. 
This should change to 'Up' within two minutes. If not, make 
sure an RJ-1 1 cable is used, the Gateway is connected to the 
correct wall jack, and the Gateway is not plugged into a micro 
filter. 

'No Connection' is displayed if the Gateway has trained but 
failed the PPPoE login. This usually means an invalid user 
name or password. Go to Expert Mode and change the PPPoE 
name and password. 

'Up' is displayed when the ADSL line is synched and the 
PPPoE (or other connection method) session is established. 

'Down' is displayed if the line connection fails. 

This should be the valid PPPoE username. If not, go to Expert 
Mode and change to the correct username. 

This is the negotiated address of the Gateway's WAN interface. 
This address is often dynamically assigned. Make sure this is a 
valid address. 

If this is not the correct assigned address, go to Expert Mode 
and verify the PPPoE address has not been manually 
assigned. 

This is the negotiated address of the remote router. Make sure 
this is a valid address. 

If this is not the correct address, go to Expert Mode and verify 
the address has not been manually assigned. 

These are the negotiated DNS addresses. Make sure they are 
valid DNS addresses. (Secondary DNS is optional, and may 
validly be blank (0.0.0.0).) 

If these are not the correct addresses, go to Expert Mode and 
verify the addresses have not been manually assigned. 

This is the unique serial number of your Gateway. 

(if so equipped; not available on 3342/3352) This is the status 
of your Ethernet connection. If you are connecting via Ether- 
net, it should be Up. 

This is the status of your USB connection (if equipped). If you 
are connecting via USB, it should be Up. 
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Item Description 

Software Release This is the version number of the current embedded software 

in your Gateway. 

Warranty Date This is the date that your Gateway was installed and enabled. 

If all of the above seem correct, then access Expert Mode by clicking the 
Expert Mode link. 
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Button: Troubleshoot 



Expert Mode 

Expert Mode has advanced troubleshooting tools that are used to pinpoint 
the exact source of a problem. 

Clicking the Troubleshoot tab displays a page with links to System Status, 
Network Tools, and Diagnostics. 



r — — — — — — — — — — — — — — — — — — — — — -i 
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L_____________________J 

• System Status: Displays an overall view of the system and its condition. 

• Network Tools: Includes NSLookup, Ping and TraceRoute. 

• Diagnostics: Runs a multi-layer diagnostic test that checks the LAN, 
WAN, PPPoE, and other connection issues. 

System Status 

In the system status screen, there are several utilities that are useful for 
troubleshooting. Some examples are given below. 
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Link: Ports: Ethernet 



The Ethernet port selection shows the traffic sent and received on the 
Ethernet interface. There should be frames and bytes on both the upstream 
and downstream sides. If there are not, this could indicate a bad Ethernet 
cable or no Ethernet connection. Below is an example: 



7862 
4454 



Ethernet Driver Statistics 

Type: 100BASET 

Port Status: Link up 

General : 
Transmit OK 
Receive OK 
Tx Errors 
Rx Errors 
Rx CRC Errors 
Rx Frame Errors 

Upper Layers : 
Rx No Handler : 0 

Rx No Message : 0 

Rx Octets : 975576 

Rx Unicast Pkts : 4156 

Rx Multicast Pkts : 203 

Tx Discards : 0 

Tx Octets : 2117992 

Tx Unicast Pkts : 3789 

Tx Multicast Pkts : 4073 

Ethernet driver statistics - USB 

Port Status: Link down 

General : 



10/100 Ethernet 



Transmit OK 
Receive OK 
Tx Errors 
Rx Errors 
Tx Octets 
Rx Octets 



Ethernet driver 
Type: 100BASET 
Port Status: Link up 
General : 

Transmit OK 

Receive OK 

Tx Errors 

Rx Errors 

Rx CRC Errors 

Rx Frame Errors 
Upper Layers : 

Rx No Handler 

Rx No Message 

Rx Octets 

Rx Unicast Pkts 

Rx Multicast Pkts 

Tx Discards 



statistics - 10/100 Ethernet 



7863 
4458 



0 
0 

0 
0 

976327 

4159 

204 
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Link: Ports: DSL 



The DSL port selection shows the state of the DSL line, whether it is up or 
down and how many times the Gateway attempted to train. The state 
should indicate 'up' for a working configuration. If it is not, check the DSL 
cable and make sure it is plugged in correctly and not connected to a micro 
filter. Below is an example: 

r — — — — — — — — — — — — — — — — — — — — — — — -i 



ADSL Line State: 
ADSL Startup Attempts 



Up 



ADSL Modulation: 
Datapump Version: 



DMT 
3.22 

Downstream Upstream 



SNR Margin: 
Line Attenuation: 
Errored Seconds: 
Loss of Signal: 
Loss of Frame: 
CRC Errors: 
Data Rate: 



18 . 6 
0.4 

14 



8000 



14.0 dB 
4.0 dB 



800 



L 



J 
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Link: DSL: Circuit Configuration 



The DSL Circuit Configuration screen shows the traffic sent and received 
over the DSL line as well as the trained rate (upstream and downstream) 
and the VPI/VCI. Verify traffic is being sent over the DSL line. If not, check 
the cabling and make sure the Gateway is not connected to a micro filter. 
Also verify the correct PVC is listed, which should be 0/35 (some providers 
use other values, such as 8/35. Check with your provider). If not go to the 
WAN setup and change the VPI/VCI to its correct value. Below is an exam- 
ple: 



r — — — — — — — — — — — — — — — — — — — — — — — -i 

ATM port status : Up 

I Rx data rate (bps) : 8000 

■ Tx data rate (bps) : 800 . 
I ATM Virtual Circuits: I 

VCC # Type VPI VCI Encapsulation 



1 PVC 8 35 PPP over Ethernet (LLC/SNAP encapsulation) 
ATM Circuit Statistics: 

Rx Frames : 17092 Tx Frames : 25078 

Rx Octets : 905876 Tx Octets : 1329134 

Rx Errors : 0 Tx Errors : 0 

Rx Discards : 0 Tx Discards : 0 

No Rx Buffers : 0 Tx Queue Full : 0 



Link: System Log: Entire 



The system log shows the state of the WAN connection as well as the PPPoE session. Ver- 
ify that the PPPoE session has been correctly established and there are no failures. If 
there are error messages, go to the WAN configuration and verify the settings. The follow- 
ing is an example of a successful connection: 



Message Log: 

00 L3 

00 L3 

00 L3 

00 L4 

00 L4 

00 L4 

00 L4 

00 L4 

00 L3 

00 L3 

00 L4 

00 L3 

00 L4 

00 L3 

00 L3 

00 L3 

00 L3 

00 L4 

00 L4 

00 L4 

00 L3 

00 L3 

00 L3 

00 L3 

00 L3 



00 


00 


00 


00 


00 


00 


00 


00 


00 


0 0 


00 


0 0 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 
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00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 



25 
25 
25 
25 
25 
25 
25 
25 
25 
25 
25 
25 
27 

7/16/03 01: 
7/16/03 01: 
7/16/03 01: 



L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
L3 
55 : 31 
55 : 33 
55 : 33 



KS : Using configured options found in flash 

BOOT: Warm start v7 . 3r0 

IP address server initialization complete 
Using saved configuration options 
Cayman SOC OS version 7.3.0 (build rO) 
Cayman-3000/9495032 (Cayman-3000, rev 1), PID 1205 
last install status: Firmware installed successfully 
memory sizes - 2048K Flash, 8192K RAM 
Starting kernel 
AAL5 : initializing service 
ATM : Waiting for PHY layer to come up 
POE : Initializing PPP over Ethernet service 
POE : Binding to Ethernet (ether/vccl) 
BRDG: Configuring port { 10/ 1 00BT-LAN) 
BRDG: Bridge not enabled for WAN. 

BRDG : Bridging from one WAN port to another is disabled 
BRDG : Initialization complete 

Routing between WAN ports is disabled 
IP Sec client pass through is enabled 

Address mapping enabled on interface PPP over Ethernet vccl 
Adding default gateway over PPP over Ethernet vccl 
Initialization complete 
IPSec : initializing service 

IP Sec : No feature key available - service disabled 
PPP: PPP over Ethernet vccl binding to PPPoE 

PPP : PPP over Ethernet vccl Port listening for incoming PPP connection requests 



RFC1483-1 up 

S erv ice -Name =ANY 

Host-Uniq 00000001 

AC-Name=62 011 050058 192-SMS1800 

Service -Name =ANY 
lcp: LCP Send Conf ig-Request+ 

MAGIC 0x2dee0000+ 
lcp: LCP Recv Config-Req:+ 

MRU{1492) (ACK) AUTHTYPE (c22 3 ) (CHAP) (ACK) MAGIC NUMBER 
(4403604) (ACK) 
lcp : returning Conf igure-Ack 
chap : received challenge , id 1 
chap: received success, id 1 
ipcp : IP CP Conf i g-Re quest + 

ADDR(OxO) DNS (0x0) DNS2(0x0) WINS (0x0) WINS2(0x0) 
ipcp: IPCP Recv Config-Req:+ 

ADDR (14 3.137 .199.254) (ACK) 
ipcp : returning Conf igure-ACK 
ipcp : IPCP Conf ig-Request+ 

ADDR(OxO) DNS (0x0) DNS2(0x0) 
ipcp : IPCP Conf i g-Re quest + 

ADDR (0x8f89c702) DNS ( 0x8 f 8 932 0a) DNS2 ( 0x8 f 8 98909) 



ipcp 
ipcp 
ipcp 
NTP : 

PM L4 

PM L4 

PM L4 



negotiated remote IP address 14 3.137.199.254 
negotiated IP address 14 3.137.199.2 
negotiated TCP hdr commpression off 
Update system date & time 

admin" logging in on serial port 0 
Admin" completed login : Full Read/ Write access 
Admin" completed login : Full Read/ Write access 
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Diagnostics 



The diagnostics section tests a number of different things at the same 
time, including the DSL line, the Ethernet interface and the PPPoE session. 



diagnose 

==== Checking Ethernet (LAN) Interface 
Check Ethernet LAN connect 
Check IP connect to Ethernet (LAN) 

==== Checking DSL (WAN) Interfaces 
Check DSL Synchronization 
Check ATM Cell-Delineation 
ATM OAM Segment Ping through (vccl) 

*** Don't worry, your service provider may not 
ATM OAM End-To-End Ping through (vccl) 

*** Don't worry, your service provider may not 
Check Ethernet connect to AAL5 (vccl) 
Check PPPOE connect to Ethernet (vccl) 
Check PPP connect to PPPOE (vccl) 
Check IP connect to PPP (vccl) 
Pinging Gateway 

==== Checking Miscellaneous 
Check DNS - Query for cayman.com 
Ping DNS Server Primary IP Address 
TEST DONE 



PASS 
PASS 



PASS 
PASS 
WARNING 

support this test 

WARNING 
support this test 

PASS 

PASS 

PASS 

PASS 

FAIL 



PASS 
PASS 



The following table summarizes the possible results. 



CODE 
"PAS'S" 

FAIL 

SKIPPED 



PENDING 
WARNING 



Description 



The test was successful. 
The test was unsuccessful. 

The test was skipped because a test on which it depended failed, or it was 
not supported by the service provider equipment to which it is connected, or 
it does not apply. 

The test timed out without producing a result. Try running the test again. 
The test was unsuccessful. The Service Provider equipment your Gateway 
connects to may not support this test. 
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Network Tools 



Three test tools are available from this page. 

• NSLookup - converts a domain name to its IP address and vice versa. 

• Ping - tests the "reachability" of a particular network destination by 
sending an ICMP echo request and waiting for a reply. 

• TraceRoute - displays the path to a destination by showing the number 
of hops and the router addresses of these hops. 



Network Test Tools 



Enter a host name (such as netapta.com) or an IP address, then click 
on an option below. 

NS Lookup: Converts a host name into IP address or vice versa. 

Ping: Sends a ping message to an Internet Host, 
TraceRoute: Traces the path to an Internet Host. 



Network Host 



Host: 



NSLcokjp J I Pirq I I TraceRoute 



L J 

1. To use the NSLookup capability, type an address (domain name or IP 
address) in the text box and click the NSLookup button 

Example: Show the IP Address for grosso.com. 



Server : 
Address : 

Name : 
Address : 



controllers . cayman, corn 
143 . 137. 137.9 



www.grosso.corn 
192 . 150. 14. 120 
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Result: The DNS Server doing the lookup is displayed in the Server: and 
Address: fields. If the Name Server can find your entry in its table, it is 
displayed in the Name: and Address: fields. 

PING: The network tools section sends a PING from the Gateway to either 
the LAN or WAN to verify connectivity. A PING could be either an IP address 
(163.176.4.32) or Domain Name (www.netopia.com). 

2. To use the Ping capability, type a destination address (domain name or IP 
address) in the text box and click the Ping button. 

Example: Ping to grosso.com. 
———————————————————————————— i 

tlajflTvj lSft. team Lacm.1 addrcsa 1*3.117.133-6 (iIki pran. 1M raj... 

Pin* Site: ISO finfc CaiuH-; i 
K*f tehd ftt*n 1W.\SQ-\1- )!0, !D5 >ns 

nr^lF- ecbo replj- irnn lSS . 1S0.H. l2<> r lDO ma 
m pimr Hindus*. 

«hf ftelr f<(= I}?. tSO-H- J?fl, JPG ",5 
ItBfr «cbD rcpif £rDn lSJ . 1S0.H. UO r lDft ceo 

-■- m-IH-Ji.US Plug ai*n»iL» --■ 

5 pKtei; TTHFnniirjri ^ pa.cker.3 received, iftt jiarkei. loj j 
L. _ J 

Result: The host was reachable with four out of five packets sent. 
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Below are some specific tests: 



Action 

From the Gateway's Network 
Tools page: 

Ping the internet default gateway 
IP address 

Ping an internet site by IP 
address 

Ping an internet site by name 



From a LAN PC: 

Ping the Gateway's LAN IP 
address 



Ping the Gateway's wan IP 
address 

Ping the Gateway's internet 
default gateway IP address 

Ping an internet site by IP 
address 

Ping an internet site by name 



If PING is not successful, possible causes are: 



DSL is down, DSL or ATM settings are incorrect; 
Gateway's IP address or subnet mask are wrong; 
gateway router is down. 

Gateway's default gateway is incorrect, Gateway's 
subnet mask is incorrect, site is down. 

DNS is not properly configured on the Gateway; 
configured DNS servers are down; site is down. 



IP address and subnet mask of PC are not on the 
same scheme as the Gateway; cabling or other 
connectivity issue. 

Default gateway on PC is incorrect. 

NAT is off on the Gateway and the internal IP 
addresses are private. 

PC's subnet mask may be incorrect, site is down. 

DNS is not properly configured on the PC, config- 
ured DNS servers are down, site is down. 



3. To use theTraceRoute capability, type a destination address (domain 
name or IP address) in the text box and click the TraceRoute button. 
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Example: Show the path to the grosso.com site. 



traceroute www.grosso.coin 

Traceroute to 192.150.14.120 from address 143 . 13 7 . 199 . S (timer gran. 100 ms) . . . 

30 hops max, 56 byte packets 



1 


143.137.199.254 100 ms 100 ms 0 


ms 


2 


143 . 137.50 


.2 54 100 ms 0 ms 0 ms 




3 


143.137.137.254 100 ms 0 ms 100 


ms 


4 


141. 154.96 


.161 0 ms 0 ms 100 ms 




5 


141. 154.8. 


13 0 ms 100 ms 0 ms 




6 


4. 


24.92 .97 


0 ms 100 ms 0 ms 




7 


4. 


24.4.225 


100 ms 0 ms 100 ms 




8 


4. 


24.7. 121 


0 ms 0 ms 100 ms 




9 


4. 


24.7. 113 


0 ms 100 ms 0 ms 




10 


4. 


24. 6.50 


100 ms 0 ms 100 ms 




11 


4. 


24. 10.86 


0 ms 100 ms 100 ms 




12 


4. 


24. 6.234 


0 ms 100 ms 0 ms 




13 


192 .205.32 


. 153 100 ms 0 ms 100 


ms 


14 


12 


.123.1.122 100 ms 0 ms 100 ms 




15 


12 


.122.2.173 100 ms 100 ms 100 


ms 


16 


12 


.122.2.153 200 ms 100 ms 100 


ms 


17 


12 


.122.5.149 100 ms 200 ms 100 


ms 


18 


12 


. 123 . 12 . 


189 100 ms 100 ms 200 


ms 


19 


12 


. 124.32 . 


34 100 ms 100 ms 200 


ms 


20 


192 . 150. 14 


. 120 100 ms ! 100 ms ! 


100 



Result: It took 20 hops to get to the grosso.com web site. 
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chapter 6 Command Line 

Interface 



The Cayman Gateway operating software includes a command 
line interface (CLI) that lets you access your Cayman Gateway 
over a telnet connection. You can use the command line inter- 
face to enter and update the unit's configuration settings, mon- 
itor its performance, and restart it. 

This chapter covers the following topics: 

• "Overview" on page 178 

• "Starting and Ending a CLI Session" on page 181 

• "Using the CLI Help Facility" on page 182 

• "About SHELL Commands" on page 183 

• "SHELL Commands" on page 184 

• "About CONFIG Commands" on page 196 

• "CONFIG Commands" on page 202 
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Overview 



The CLI has two major command modes: SHELL and CONFIG. 
Summary tables that list the commands are provided below. 
Details of the entire command set follow in this section. 



SHELL Commands 



Command 


Status and/or Description 


arp 


to send ARP request 


atmping 


to send ATM OAM loopback 


clear 


to erase all stored configuration information 


configure 


to configure unit's options 


diagnose 


to run self-test 


download 


to download config file 


exit 


to quit this shell 


help 


to get more: "help all" or "help help" 


install 


to download and program an image into flash 


license 


to enter an upgrade key to add a feature 


log 


to add a message to the diagnostic log 


log level 


to report or change diagnostic log level 


netstat 


to show IP information 


nslookup 


to send DNS query for host 


ping 


to send ICMP Echo request 


quit 


to quit this shell 


reset 


to reset subsystems 


restart 


to restart unit 


show 


to show system information 


start 


to start subsystem 


status 


to show basic status of unit 


telnet 


to telnet to a remote host 


traceroute 


to send traceroute probes 


upload 


to upload config file 


who 


to show who is using the shell 
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Overview 



Command 


Status and/or Description 


Verbs 




set 


Set configuration data 


define 


Define environment data 


delete 


Delete configuration list data 


view 


View configuration data 


script 


Print configuration data 


help 


Help command option 


save 


Save configuration data 


Keywords 


system 


Gateway's system options 


pppoe 


PPP over Ethernet options 


dmt 


DMT ADSL options 


atm 


ATM options (DSL only) 


ip 


TCP/IP protocol options 


dhcp 


Dynamic Host Configuration Protocol options 


ethernet 


Ethernet options 


ip-maps 


IPmaps options 


nat-default 


Network Address Translation default options 


dns 


Domain Name System options 


bridge 


Bridge options 


PPP 


Peer-to-Peer Protocol options 


pinhole 


Pinhole options 


security 


Security options 


servers 


Internal Server options 


validate 


Validate configuration settings 


preferences 


Shell environment settings 


snmp 


SNMP management options 
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Command 
Utilities 

Go to top level of configuration mode 

Exit from configuration mode; return to shell mode 

Exit from configuration mode; return to shell mode 



Starting and Ending a CLI Session 



Starting and Ending a CLI Session 

Open a telnet connection from a workstation on your network. 

You initiate a telnet connection by issuing the following com- 
mand from an IP host that supports telnet, for example, a per- 
sonal computer running a telnet application such as NCSA 
Telnet. 

telnet <ip_address> 

You must know the IP address of the Cayman Gateway before 
you can make a telnet connection to it. By default, your Cayman 
Gateway uses 192.168.1.254 as the IP address for its LAN 
interface. You can use a Web browser to configure the Cayman 
Gateway IP address. 

Logging In 

The command line interface log-in process emulates the log-in 
process for a UNIX host. To logon, enter the username (either 
admin or user), and your password. 

• Entering the administrator password lets you display and 
update all Cayman Gateway settings. 

• Entering a user password lets you display (but not update) 
Cayman Gateway settings. 

When you have logged in successfully, the command line inter- 
face lists the username and the security level associated with 
the password you entered in the diagnostic log. 

Ending a CLI Session 

You end a command line interface session by typing quit from 
the SHELL node of the command line interface hierarchy. 
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Saving Settings 

In CONFIG mode, the save command saves the working copy of 
the settings to the Gateway. The Gateway automatically vali- 
dates its settings when you save and displays a warning mes- 
sage if the configuration is not correct. 



Using the CLI Help Facility 

The help command lets you display on-line help for SHELL and 
CONFIG commands. To display a list of the commands available 
to you from your current location within the command line inter- 
face hierarchy, enter help. 

To obtain help for a specific CLI command, type help <com- 
mand>. You can truncate the help command to h or a question 
mark when you request help for a CLI command. 
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About SHELL Commands 



About SHELL Commands 

You begin in SHELL mode when you start a CLI session. SHELL 
mode lets you perform the following tasks with your Cayman 
Gateway: 

• Monitor its performance 

• Display and reset Gateway statistics 

• Issue administrative commands to restart Cayman Gateway 
functions 

SHELL Prompt 

When you are in SHELL mode, the CLI prompt is the name of 
the Cayman Gateway followed by a right angle bracket (>). For 
example, if you open a CLI connection to the Cayman Gateway 
named "Coconut," you would see Coconut> as your CLI prompt. 

SHELL Command Shortcuts 

You can truncate most commands in the CLI to their shortest 
unique string. For example, you can use the truncated com- 
mand q in place of the full quit command to exit the CLI. How- 
ever, you would need to enter rese for the reset command, 
since the first characters of reset are common to the restart 
command. 

The only commands you cannot truncate are restart and clear. 
To prevent accidental interruption of communications, you must 
enter the restart and clear commands in their entirety. 

You can use the Up and Down arrow keys to scroll backward 
and forward through recent commands you have entered. Alter- 
natively, you can use the //command to repeat the last com- 
mand you entered. 
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SHELL Commands 
Common Commands 



arp nnn.nnn.nnn.nnn 

Sends an Address Resolution Protocol (ARP) request to match 
the nnn . nnn . nnn . nnn IP address to an Ethernet hardware 
address. 



clear [yes] 

Clears the configuration settings in a Cayman Gateway. If you 
do not use the optional yes qualifier, you are prompted to con- 
firm the clear command. 



configure 

Puts the command line interface into Configure mode, which 
lets you configure your Cayman Gateway with Config com- 
mands. Config commands are described starting on page 179. 



diagnose 

Runs a diagnostic utility to conduct a series of internal checks 
and loopback tests to verify network connectivity over each 
interface on your Cayman Gateway. The console displays the 
results of each test as the diagnostic utility runs. If one test is 
dependent on another, the diagnostic utility indents its entry in 
the console window. For example, the diagnostic utility indents 
the Check IP connect to Ethernet (LAN) entry, since that test 
will not run if the Check Ethernet LAN Connect test fails. 
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SHELL Commands 



Each test generates one of the following result codes: 



I 



PASS 
FAIL 

SKIPPED 



PENDING 



criptio 



The test was successful. 
The test was unsuccessful. 
The test was skipped because a test on which it 
depended failed, or because the test did not 
apply to your particular setup or model. 
The test timed out without producing a result. 
Try running the test again. 



download [server_address ] [filename] [confirm] 

This command installs a file of configuration parameters into 
the Cayman Gateway from a TFTP (Trivial File Transfer Protocol) 
server. The TFTP server must be accessible on your Ethernet 
network. 

You can include one or more of the following arguments with 
the download command. If you omit arguments, the console 
prompts you for this information. 

• The server_address argument identifies the IP address of 
the TFTP server from which you want to copy the Cayman 
Gateway configuration file. 

• The filename argument identifies the path and name of the 
configuration file on the TFTP server. 

• If you include the optional confirm keyword, the download 
begins as soon as all information is entered. 

install [server_address] [filename] [confirm] 

(Not supported on model 3342/3352) Downloads a new ver- 
sion of the Cayman Gateway operating software from a TFTP 
(Trivial File Transfer Protocol) server, validates the software 
image, and programs the image into the Cayman Gateway mem- 
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ory. After you install new operating software, you must restart 
the Cayman Gateway. 

The server_address argument identifies the IP address of 
the TFTP server on which your Cayman Gateway operating soft- 
ware is stored. The filename argument identifies the path 
and name of the operating software file on the TFTP server. 

If you include the optional keyword confirm, you will not be 
prompted to confirm whether or not you want to perform the 
operation. 



license [key] 

This command installs a software upgrade key. An upgrade key 
is a purchased item, based on the serial number of the gate- 
way. 



log message_string 

Adds the message in the message_string argument to the 
Cayman Gateway diagnostic log. 



loglevel [level] 

Displays or modifies the types of log messages you want the 
Cayman Gateway to record. If you enter the loglevel com- 
mand without the optional level argument, the command line 
interface displays the current log level setting. 

You can enter the loglevel command with the level argu- 
ment to specify the types of diagnostic messages you want to 
record. All messages with a level number equal to or greater 
than the level you specify are recorded. For example, if you 
specify loglevel 3, the diagnostic log will retain high-level infor- 
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SHELL Commands 



mational messages (level 3), warnings (level 4), and failure 
messages (level 5). 

Use the following values for the level argument: 

• 1 or low - Low-level informational messages or greater; 
includes trivial status messages. 

• 2 or medium - Medium-level informational messages or 
greater; includes status messages that can help monitor net- 
work traffic. 

• 3 or high - High-level informational messages or greater; 
includes status messages that may be significant but do not 
constitute errors. 

• 4 or warning - Warnings or greater; includes recoverable 
error conditions and useful operator information. 

• 5 or failure Failures; includes messages describing 
error conditions that may not be recoverable. 

netstat -i 

Displays the IP interfaces for your Cayman Gateway. 



netstat -r 

Displays the IP routes stored in your Cayman Gateway. 



nslookup { hostname \ ip_address } 

Performs a domain name system lookup for a specified host. 

• The hostname argument is the name of the host for which 
you want DNS information; for example, nslookup klaatu. 

• The ±p_address argument is the IP address, in dotted dec- 
imal notation, of the device for which you want DNS informa- 
tion. 
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ping [-s size] [-c counf\{ hostname \ ip_address } 

Causes the Cayman Gateway to issue a series of ICMP Echo 
requests for the device with the specified name or IP address. 

• The hostname argument is the name of the device you want 
to ping; for example, ping ftp.netopia.com. 

• The ip_address argument is the IP address, in dotted dec- 
imal notation, of the device you want to locate. If a host 
using the specified name or IP address is active, it returns 
one or more ICMP Echo replies, confirming that it is accessi- 
ble from your network. 

• The -s size argument lets you specify the size of the ICMP 
packet. 

• The -c count argument lets you specify the number of ICMP 
packets generated for the ping request. Values greater than 
250 are truncated to 250. 

You can use the ping command to determine whether a host- 
name or IP address is already in use on your network. You can- 
not use the ping command to ping the Cayman Gateway's own 
IP address. 



quit 

Exits the Cayman Gateway command line interface. 



reset arp 

Clears the Address Resolution Protocol (ARP) cache on your 
unit. 
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SHELL Commands 



reset crash 

Clears crash-dump information, which identifies the contents of 
the Cayman Gateway registers at the point of system malfunc- 
tion. 

reset dhcp server 

Clears the DHCP lease table in the Cayman Gateway, 
reset enet 

Resets Ethernet statistics to zero 
reset ipmap 

Clears the IPMap table (NAT), 
reset log 

Rewinds the diagnostic log display to the top of the existing 
Cayman Gateway diagnostic log. The reset log command does 
not clear the diagnostic log. The next show log command will 
display information from the beginning of the log file. 

reset security-log 

Clears the security monitoring log to make room to capture new 
entries. 

reset wan-users [all | ip-address] 

This function disconnects the specified WAN User to allow for 
other users to access the WAN. This function is only available if 
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the number of WAN Users is restricted and NAT is on. Use the 
all parameter to disconnect all users. If you logon as Admin you 
can disconnect any or all users. If you logon as User, you can 
only disconnect yourself. 



restart [seconds] 

Restarts your Cayman Gateway. If you include the optional 
seconds argument, your Cayman Gateway will restart when 
the specified number of seconds have elapsed. You must enter 
the complete restart command to initiate a restart. 



show bridge interfaces 

Displays bridge interfaces maintained by the Cayman Gateway. 



show bridge table 

Displays the bridging table maintained by the Cayman Gateway. 



show crash 

Displays the most recent crash information, if any, for your Cay- 
man Gateway. 



show dhcp server leases 

Displays the DHCP leases stored in RAM by your Cayman Gate- 
way. 



show ip arp 

Displays the Ethernet address resolution table stored in your 
Cayman Gateway. 
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show ip igmp 

Displays the contents of the IGMP Group Address table and the 
IGMP Report table maintained by your Cayman Gateway. 

show ip interfaces 

Displays the IP interfaces for your Cayman Gateway, 
show ip ipsec 

Displays IPSec Tunnel statistics, 
show ip firewall 
Displays firewall statistics, 
show ip routes 

Displays the IP routes stored in your Cayman Gateway, 
show ip state-insp 

Displays whether stateful inspection is enabled on an interface 
or not, exposed addresses and blocked packet statistics 
because of stateful inspection. 



show log 

Displays blocks of information from the Cayman Gateway diag- 
nostic log. To see the entire log, you can repeat the show log 
command or you can enter show log all . 
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show memory [all] 



Displays memory usage information for your Cayman Gateway. 
If you include the optional all argument, your Cayman Gateway 
will display a more detailed set of memory statistics. 



show pppoe 

Displays status information for each PPP socket, such as the 
socket state, service names, and host ID values. 



show rulesetlist 

Displays all the available application hosting rules in the sys- 
tem. See "Software Hosting" on page 112. 



show status 

Displays the current status of a Cayman Gateway, the device's 
hardware and software revision levels, a summary of errors 
encountered, and the length of time the Cayman Gateway has 
been running since it was last restarted. Identical to the sta- 
tus command. 



telnet { hostname \ ip_address } [port] 

Lets you open a telnet connection to the specified host through 
your Cayman Gateway. 

• The hostname argument is the name of the device to which 
you want to connect; for example, telnet ftp.cayman.com . 

• The ip_address argument is the IP address, in dotted dec- 
imal notation, of the device to which you want to connect. 

• The port argument is the number of t he port over which 
you want to open a telnet session. 
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upload [server_address] [filename] [confirm] 

Copies the current configuration settings of the Cayman Gate- 
way to a TFTP (Trivial File Transfer Protocol) server. The TFTP 
server must be accessible on your Ethernet network. The 
server_address argument identifies the IP address of the 
TFTP server on which you want to store the Cayman Gateway 
settings. The filename argument identifies the path and 
name of the configuration file on the TFTP server. If you include 
the optional confirm keyword, you will not be prompted to 
confirm whether or not you want to perform the operation. 



who 

Displays the names of the current shell and PPP users. 
WAN Commands 



atmping vccs? [ segment | end-to-end ] 

Lets you check the ATM connection reachability and network 
connectivity. This command sends five Operations, Administra- 
tion, and Maintenance (OAM) loopback calls to the specified 
vpi/vci destination. There is a five second total timeout interval. 

Use the segment argument to ping a neighbor switch. 
Use the end-to-end argument to ping a remote end node. 



reset dhcp client release [ vcc-id] 

Releases the DHCP lease the Cayman Gateway is currently 
using to acquire the IP settings for the specified DSL port. The 
vcc-id identifier is a letter in the range B-l. Enter the reset 
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dhcp client release without the variable to see the letter 
assigned to each virtual circuit. 



reset dhcp client renew [ vcc-id] 

Releases the DHCP lease the Cayman Gateway is currently 
using to acquire the IP settings for the specified DSL port. The 
vcc-id identifier is a letter in the range B-l. Enter the reset 
dhcp client release without the variable to see the letter 
assigned to each virtual circuit. 



reset dsl 

Resets any open DSL connection. 



reset ppp vccn 

Resets the point-to-point connection over the specified virtual 
circuit. This command only applies to virtual circuits that use 
PPP framing. 



show atm [all] 

Displays ATM statistics for the Cayman Gateway. The optional 
all argument displays a more detailed set of ATM statistics. 



show dsl 

Displays DSL port statistics, such as upstream and down- 
stream connection rates and noise levels. 
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show ppp [{ stats | Icp | ipcp }] 

Displays information about open PPP links. You can display a 
subset of the PPP statistics by including an optional stats, 
lcp, or ipcp argument for the show ppp command. 

start ppp vccn 

Opens a PPP link on the specified virtual circuit. 
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You reach the configuration mode of the command line inter- 
face by typing configure (or any truncation of configure, such 
as con or config) at the CLI SHELL prompt. 

CONFIG Mode Prompt 

When you are in CONFIG mode, the CLI prompt consists of the 
name of the Cayman Gateway followed by your current node in 
the hierarchy and two right angle brackets (»). For example, 
when you enter CONFIG mode (by typing config at the SHELL 
prompt), the Coconut (top)» prompt reminds you that you 
are at the top of the CONFIG hierarchy. If you move to the ip 
node in the CONFIG hierarchy (by typing ip at the CONFIG 
prompt), the prompt changes to Coconut (ip) » to identify 
your current location. 

Some CLI commands are not available until certain conditions 
are met. For example, you must enable IP for an interface 
before you can enter IP settings for that interface. 

Navigating the CONFIG Hierarchy 

• Moving from CONFIG to SHELL — You can navigate from 
anywhere in the CONFIG hierarchy back to the SHELL level by 
entering quit at the CONFIG prompt and pressing Return. 

Dogzilla (top) >> quit 
Dogzilla > 

• Moving from top to a subnode — You can navigate from 
the top node to a subnode by entering the node name (or the 
significant letters of the node name) at the CONFIG prompt 
and pressing Return. For example, you move to the IP subn- 
ode by entering ip and pressing Return. 
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Dogzilla (top) >> ip 
Dogzilla (ip) >> 

As a shortcut, you can enter the significant letters of the node 
name in place of the full node name at the CONFIG prompt. The 
significant characters of a node name are the letters that 
uniquely identify the node. For example, since no other CONFIG 
node starts with I, you could enter one letter ("i") to move to 
the IP node. 

• Jumping down several nodes at once — You can jump 
down several levels in the CONFIG hierarchy by entering the 
complete path to a node. 

• Moving up one node — You can move up through the CON- 
FIG hierarchy one node at a time by entering the up com- 
mand. 

• Jumping to the top node — You can jump to the top level 
from anywhere in the CONFIG hierarchy by entering the top 
command. 

• Moving from one subnode to another — You can move 
from one subnode to another by entering a partial path that 
identifies how far back to climb. 

• Moving from any subnode to any other subnode — You 

can move from any subnode to any other subnode by enter- 
ing a partial path that starts with a top-level CONFIG com- 
mand. 

• Scrolling backward and forward through recent com- 
mands — You can use the Up and Down arrow keys to scroll 
backward and forward through recent commands you have 
entered. When the command you want appears, press Enter 
to execute it. 
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Entering Commands in CONFIG Mode 

CONFIG commands consist of keywords and arguments. Key- 
words in a CONFIG command specify the action you want to 
take or the entity on which you want to act. Arguments in a 
CONFIG command specify the values appropriate to your site. 
For example, the CONFIG command 



set ip ethernet A ip_address 

consists of two keywords (ip, and ethernet A) and one argu- 
ment (±p_address). When you use the command to configure 
your Gateway, you would replace the argument with a value 
appropriate to your site. 

For example: 



set ip ethernet A 192.31.222.57 
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Guidelines: CONFIG Commands 



The following table provides guidelines for entering and format- 
ting CONFIG commands. 



Command 
component 



Command verbs 



Keywords 



Argument Text 



Numbers 



IP addresses 



Rules for entering CONFIG commands 



CONFIG commands must start with a command verb 
(set, view, delete). 

You can truncate CONFIG verbs to three characters 
(set, vie, del). 

CONFIG verbs are case-insensitive. You can enter 
"SET," "Set," or "set." 

Keywords are case-insensitive. You can enter "Ether- 
net," "ETHERNET," or "ethernet" as a keyword without 
changing its meaning. 

Keywords can be abbreviated to the length that they are 
differentiated from other keywords. 
Text strings can be as many as 64 characters long, 
unless otherwise specified. In some cases they may be 
as long as 255 bytes. 

Special characters are represented using backslash 
notation. 

Text strings may be enclosed in double (") or single (') 
quote marks. If the text string includes an embedded 
space, it must be enclosed in quotes. 

Special characters are represented using backslash 
notation. 

Enter numbers as integers, or in hexadecimal, where so 
noted. 

Enter IP addresses in dotted decimal notation (0 to 
255). 



If a command is ambiguous or miskeyed, the CLI prompts you 
to enter additional information. For example, you must specify 
which virtual circuit you are configuring when you are setting up 
a Cayman Gateway. 
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Displaying Current Gateway Settings 

You can use the view command to display the current CONFIG 
settings for your Cayman Gateway. If you enter the view com- 
mand at the top level of the CONFIG hierarchy, the CLI displays 
the settings for all enabled functions. If you enter the view com- 
mand at an intermediate node, you see settings for that node 
and its subnodes. 

Step Mode: A CLI Configuration Technique 

The Cayman Gateway command line interface includes a step 
mode to automate the process of entering configuration set- 
tings. When you use the CONFIG step mode, the command line 
interface prompts you for all required and optional information. 
You can then enter the configuration values appropriate for your 
site without having to enter complete CLI commands. 

When you are in step mode, the command line interface 
prompts you to enter required and optional settings. If a setting 
has a default value or a current setting, the command line inter- 
face displays the default value for the command in parenthe- 
ses. If a command has a limited number of acceptable values, 
those values are presented in brackets, with each value sepa- 
rated by a vertical line. For example, the following CLI step com- 
mand indicates that the default value is off and that valid 
entries are limited to on and off. 

option (off) [on | off] : on 

You can accept the default value for a field by pressing the 
Return key. To use a different value, enter it and press Return. 

You can enter the CONFIG step mode by entering set from the 
top node of the CONFIG hierarchy. You can enter step mode for 
a particular service by entering set service_name . In step- 
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ping set mode (press Control-X <Return/Enter> to exit. For 
example: 

Dogzilla (top) >> set system 

system 

name ("Dogzilla") : Mycroft 
Diagnostic Level (High) : medium 
Stepping mode ended. 

Validating Your Configuration 

You can use the validate CONFIG command to make sure 
that your configuration settings have been entered correctly. If 
you use the validate command, the Cayman Gateway verifies 
that all required settings for all services are present and that 
settings are consistent. 

Dogzilla (top) >> validate 
Error: Subnet mask is incorrect 
Global Validation did not pass 
inspection ! 

You can use the validate command to verify your configura- 
tion settings at any time. Your Cayman Gateway automatically 
validates your configuration any time you save a modified con- 
figuration. 
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This section describes the keywords and arguments for the var- 
ious CONFIG commands. 



DSL Commands 

ATM Settings. You can use the CLI to set up each ATM virtual 
circuit. 



set atm option {on | off } 

Enables the WAN interface of the Cayman Gateway to be config- 
ured using the Asynchronous Transfer Mode (ATM) protocol. 



set atm [vcc n] option {on | off } 

Selects the virtual circuit for which further parameters are set. 
Up to eight VCCs are supported; the maximum number is 
dependent on your Cayman Operating System tier and the capa- 
bilities that your Service Provider offers. 



set atm [vcc n] qos service-class { cbr | ubr | vbr } 

Sets the Quality of Service class for the specified virtual circuit 
- Constant (cbr), Unspecified (ubr), or Variable (vbr) Bit Rate. 

• ubr: No configuration is needed for UBR VCs. Leave the 
default value 0 (maximum line rate). 

• cbr: One parameter is required for CBR VCs. Enter the Peak 
Cell Rate that applies to the VC. This value should be 
between 1 and the line rate. You set this value according to 
specifications defined by your service provider. 
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• vbr: Three parameters are required for VBR VCs. Enter the 
Peak Cell Rate, the Sustained Cell Rate, and the Maxi- 
mum Burst Size that apply to the VC. You set these values 
according to specifications defined by your service provider. 

set atm [vcc n] qos peak-cell-rate { 1 ...n } 

If QoS class is set to cbr or vbr then specifiy the peak-cell- 
rate that should apply to the specified virtual circuit. This value 
should be between 1 and the line rate. 

The Peak Cell Rate (PCR) should be set to the maximum rate a 
PVC can oversubscribe its Sustained Cell Rate (SCR). The Peak 
Cell Rate (see below) must be less than, or equal to the raw 
WAN (DSL) bit rate. The Maximum Burst Size (MBS) is the num- 
ber of cells that can be sent at the PCR rate, after which the 
PVC must fall back to the SCR rate. 



set atm [vcc n] qos sustained-cell-rate { 1 ...n } 

If QoS class is set to vbr, then specifiy the sustained-cell-rate 

that should apply to the specified virtual circuit. This value 
should be less than, or equal to the Peak Cell Rate, which 
should be less than, or equal to the line rate. 



set atm [vcc n] qos max-burst-size { 1 ...n } 

If QoS class is set to vbr then specifiy the max-burst-size that 
should apply to the specified virtual circuit. This value is the 
maximum number of cells that can be transmitted at the Peak 
Cell Rate after which the ATM VC transmission rate must drop 
to the Sustained Cell Rate. 
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set atm [vcc n] vpi { 0 ... 255 } 

Select the virtual path identifier (vpi) for VCC n. 

Your Service Provider will indicate the required vpi number. 

set atm [vcc n] vci { 0 ... 65535 } 

Select the virtual channel identifier (vci) for VCC n. 

Your Service Provider will indicate the required vci number. 

set atm [vccn] encap { ppp-vcmux | ppp-llc | ether-llc | 

ip-llc | ppoe-vcmux | pppoe-llc } 

Select the encapsulation mode for VCC n. The options are: 

ppp-vcmux PPP over ATM, VC-muxed 

ppp-llc PPP over ATM, LLC-SNAP 

ether-llc RFC-1483, bridged Ethernet, LLC-SNAP 

ip-llc RFC-1483, routed IP, LLC-SNAP 

pppoe-vcmux PPP over Ethernet, VC-muxed 

pppoe-llc PPP over Ethernet, LLC-SNAP 

Your Service Provider will indicate the required encapsulation 
mode. 

set atm [vccn] pppoe-sessions { 1 ... 8 } 

Select the number of PPPoE sessions to be configured for 
VCC 1, up to a total of eight. The total number of pppoe-ses- 
sions and PPPoE VCCs configured must be less than or equal 
to eight. 
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NOTE: 

The maximum number of PPPoE sessions default is 
1 without a license to allow for support of 8. 



Bridging Settings 

Bridging lets the Cayman Gateway use MAC (Ethernet hard- 
ware) addresses to forward non-TCP/IP traffic from one network 
to another. When bridging is enabled, the Cayman Gateway 
maintains a table of up to 512 MAC addresses. Entries that are 
not used within 30 seconds are dropped. If the bridging table 
fills up, the oldest table entries are dropped to make room for 
new entries. 

Virtual circuits that use IP framing cannot be bridged. 



NOTE: 

For bridging in the 3341 (or any model with a USB 
port), you cannot set the bridge option off, or 
bridge ethernet option off; these are on by default 
because of the USB port. 



Common Commands 



set bridge option {on | off } 

Enables or disables bridging services in the Cayman Gateway. 
You must enable bridging services within the Cayman Gateway 
before you can enable bridging for a specific interface. 
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set bridge ethernet option { on | off } 



Enables or disables bridging services for the specified virtual 
circuit using Ethernet framing. 



set bridge dsl vccai option { on | off } 

Enables or disables bridging services for the specified DSL vir- 
tual circuit. 

DHCP Settings 

As a Dynamic Host Control Protocol (DHCP) server, your Cay- 
man Gateway can assign IP addresses and provide configura- 
tion information to other devices on your network dynamically. A 
device that acquires its IP address and other TCP/IP configura- 
tion settings from the Cayman Gateway can use the information 
for a fixed period of time (called the DHCP lease). 

Common Commands 



set dhcp option { off | server | relay-agent } 

Enables or disables DHCP services in the Cayman Gateway. 
You must enable DHCP services before you can enter other 
DHCP settings for the Cayman Gateway. 

If you turn off DHCP services and save the new configuration, 
the Cayman Gateway clears its DHCP settings. 



set dhcp start-address ip_address 

If you selected server, specifies the first address in the 
DHCP address range. The Cayman Gateway can reserve a 
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sequence of up to 253 IP addresses within a subnet, beginning 
with the specified address for dynamic assignment. 



set dhcp end-address ip_address 

If you selected server, specifies the last address in the DHCP 
address range. 



set dhcp lease-time lease-time 

If you selected server , specifies the default length for DHCP 
leases issued by the Cayman Gateway. Enter lease time in 
dd:hh:mm: ss (day/hour/minute/second) format. 



set dhcp server-address ip_address 

If you selected relay-agent, specifies the IP address of the 
relay agent server. 



DMT Settings 
DSL Commands 

set dmt type [ lite | dmt | ansi | multi ] 

Selects the type of Discrete Multitone (DMT) asynchronous digi- 
tal subscriber line (ADSL) protocol to use for the WAN interface. 



NOTE: 

dmt type is not supported for Annex B (335x) plat- 
forms. 
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set dmt autoConfig [ off | on ] 



Enables support for automatic VPI/VCI detection and configura- 
tion. When set to on (the default), a pre-defined list of VPI/VCI 
pairs are searched to find a valid configuration for your ADSL 
line. Entering a value for the VPI or VCI setting will disable this 
feature. 



set dmt wiringMode [ auto | tip_ring | A_A1 ] 

(not supported on all models) This command configures the wir- 
ing mode setting for your ADSL line. Selecting auto (the default) 
causes the Gateway to detect which pair of wires (inner or outer 
pair) are in use on your phone line. Specifying tip_ring forces 
the inner pair to be used; and A_A1 the outer pair. 

Domain Name System Settings 

Domain Name System (DNS) is an information service for TCP/ 
IP networks that uses a hierarchical naming system to identify 
network domains and the hosts associated with them. You can 
identify a primary DNS server and one secondary server. 

Common Commands 



set dns domain-name domain-name 

Specifies the default domain name for your network. When an 
application needs to resolve a host name, it appends the 
default domain name to the host name and asks the DNS 
server if it has an address for the "fully qualified host name." 



set dns primary-address ip_address 

Specifies the IP address of the primary DNS name server. 
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set dns secondary-address ip_address 

Specifies the IP address of the secondary DNS name server. 
Enter 0.0.0.0 if your network does not have a secondary DNS 
name server. 



IP Settings 

You can use the command line interface to specify whether 
TCP/IP is enabled, identify a default Gateway, and to enter 
TCP/IP settings for the Cayman Gateway LAN and WAN ports. 



NOTE: 

For the DSL platform you must identify the virtual 
PPP interface [vccn], a number from 1 to 8. 



Common Settings 
set ip option { on | off } 

Enables or disables TCP/IP services in the Cayman Gateway. 
You must enable TCP/IP services before you can enter other 
TCP/IP settings for the Cayman Gateway. If you turn off TCP/IP 
services and save the new configuration, the Cayman Gateway 
clears its TCP/IP settings. 
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set ip dsl vccn address ip_address 

Assigns an IP address to the virtual circuit. Enter 0.0.0.0 if you 
want the virtual circuit to obtain its IP address from a remote 
DHCP server. 



set ip dsl vccn broadcast broadcast_address 

Specifies the broadcast address for the TCP/IP network con- 
nected to the virtual circuit. IP hosts use the broadcast address 
to send messages to every host on your network simulta- 
neously. 

The broadcast address for most networks is the network num- 
ber followed by 255. For example, the broadcast address for 
the 192.168.1.0 network would be 192.168.1.255. 



set ip dsl vccn netmask netmask 

Specifies the subnet mask for the TCP/IP network connected to 
the virtual circuit. The subnet mask specifies which bits of the 
32-bit binary IP address represents network information. The 
default subnet mask for most networks is 255.255.255.0 
(Class C subnet mask). 



set ip dsl vccn restriction { admin-disabled | none } 

Specifies restrictions on the types of traffic the Cayman Gate- 
way accepts over the DSL virtual circuit. The admin-dis- 
abled argument means that access to the device via telnet, 
web, and SNMP is disabled. RIP and ICMP traffic is still 
accepted. The none argument means that all traffic is 
accepted. 
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set ip dsl vccn addr-mapping { on | off } 

Specifies whether you want the Cayman Gateway to use net- 
work address translation (NAT) when communicating with 
remote routers. Address mapping lets you conceal details of 
your network from remote routers. It also permits all LAN 
devices to share a single IP address. By default, address map- 
ping is turned "On". 



set ip dsl vccn rip-send { off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway should use Routing 
Information Protocol (RIP) broadcasts to advertise its routing 
tables to other routers. RIP Version 2 (RIP-2) is an extension of 
the original Routing Information Protocol (RIP-1) that expands 
the amount of useful information in the RIP packets. While RIP- 
1 and RIP-2 share the same basic algorithms, RIP-2 supports 
several additional features, including inclusion of subnet masks 
in RIP packets and implementation of multicasting instead of 
broadcasting (which reduces the load on hosts which do not 
support routing protocols. RIP-2 with MD5 authentication is an 
extension of RIP-2 that increases security by requiring an 
authentication key when routes are advertised. 

Depending on your network needs, you can configure your Cay- 
man Gateway to support RIP-1, RIP-2, or RIP-2MD5. 

If you specify v2-MD5, you must also specify a rip-send-key. 
Keys are ASCII strings with a maximum of 31 characters, and 
must match the other router(s) keys for proper operation of 
MD5 support. 
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set ip dsl vccn rip-receive 

{ off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway should use Routing 
Information Protocol (RIP) broadcasts to update its routing 
tables with information received from other routers. 

If you specify v2-MD5, you must also specify a rip-receive- 

key. Keys are ASCII strings with a maximum of 31 characters, 
and must match the other router(s) keys for proper operation of 
MD5 support. 

Ethernet LAN Settings 

set ip ethernet option { on | off } 

Enables or disables communications through the designated 
Ethernet port in the Gateway. You must enable TCP/IP functions 
for an Ethernet port before you can configure its network set- 
tings. 



set ip ethernet A address ip_address 

Assigns an IP address to the Cayman Gateway on the local area 
network. The IP address you assign to the local Ethernet inter- 
face must be unique on your network. By default, the Cayman 
Gateway uses 192.168.1.254 as its LAN IP address. 



set ip ethernet A broadcast broadcast_address 

Specifies the broadcast address for the local Ethernet inter- 
face. IP hosts use the broadcast address to send messages to 
every host on your network simultaneously. 
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The broadcast address for most networks is the network num- 
ber followed by 255. For example, the broadcast address for 
the 192.168.1.0 network would be 192.168.1.255. 



set ip ethernet A netmask netmask 

Specifies the subnet mask for the local Ethernet interface. The 
subnet mask specifies which bits of the 32-bit binary IP 
address represent network information. The default subnet 
mask for most networks is 255.255.255.0 (Class C subnet 
mask). 



set ip ethernet A restrictions { none | admin-disabled } 

Specifies whether an administrator can open a telnet connec- 
tion to a Cayman Gateway over the Ethernet interface to moni- 
tor and configure the unit. The admin-disabled argument 
means that access to the device via telnet, web, and SNMP is 
disabled. On the WAN port, you can enable or disable adminis- 
trator access or specify that the WAN port can only be used for 
administrative traffic. By default, administrative restrictions are 
off on the LAN, but Admin-Disabled is set for the WAN, meaning 
an administrator can open a telnet connection. 



set ip ethernet A rip-send 

{ off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway should use Routing 
Information Protocol (RIP) broadcasts to advertise its routing 
tables to other routers on your network. RIP Version 2 (RIP-2) is 
an extension of the original Routing Information Protocol (RIP-1) 
that expands the amount of useful information in the RIP pack- 
ets. While RIP-1 and RIP-2 share the same basic algorithms, 
RIP-2 supports several additional features, including inclusion 
of subnet masks in RIP packets and implementation of multi- 
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casting instead of broadcasting (which reduces the load on 
hosts which do not support routing protocols. RIP-2 with MD5 
authentication is an extension of RIP-2 that increases security 
by requiring an authentication key when routes are advertised. 

If you specify v2-MD5, you must also specify a rip-send-key. 
Keys are ASCII strings with a maximum of 31 characters, and 
must match the other router(s) keys for proper operation of 
MD5 support. 

Depending on your network needs, you can configure your Cay- 
man Gateway to support RIP-1, RIP-2, or RIP-2MD5. 



set ip ethernet A rip-receive 

{ off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway should use Routing 
Information Protocol (RIP) broadcasts to update its routing 
tables with information received from other routers on your net- 
work. 

If you specify v2-MD5, you must also specify a rip-receive- 

key. Keys are ASCII strings with a maximum of 31 characters, 
and must match the other router(s) keys for proper operation of 
MD5 support. 

Default IP Gateway Settings 
set ip gateway option { on | off } 

Specifies whether the Cayman Gateway should send packets to 
a default Gateway if it does not know how to reach the destina- 
tion host. 



214 



CONFIG Commands 



set ip gateway interface { ip-address | ppp-vccn } 

Specifies how the Cayman Gateway should route information to 
the default Gateway. If you select ip-address, you must enter 
the IP address of a host on a local or remote network. If you 
specify ppp, the Cayman unit uses the default gateway being 
used by the remote PPP peer. 

IP-over-PPP Settings. Use the following commands to config- 
ure settings for routing IP over a virtual PPP interface. 



NOTE: 

For a DSL platform you must identify the virtual PPP 
interface [vccn], a number from vccl to vcc8. 



set ip ip-ppp [vccn] option { on | off } 

Enables or disables IP routing through the virtual PPP interface. 
By default, IP routing is turned off. You must enable IP routing 
before you can enter other IP routing settings for the virtual PPP 
interface. If you turn off IP routing and save the new configura- 
tion, the Cayman Gateway clears IP routing settings 



set ip ip-ppp [vccn] address ip_address 

Assigns an IP address to the virtual PPP interface. If you spec- 
ify an IP address other than 0.0.0.0, your Cayman Gateway will 
not negotiate its IP address with the remote peer. If the remote 
peer does not accept the IP address specified in the 
ip_address argument as valid, the link will not come up. 
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The default value for the ip_address argument is 0.0.0.0, 
which indicates that the virtual PPP interface will use the IP 
address assigned to it by the remote peer. Note that the 
remote peer must be configured to supply an IP address to your 
Cayman Gateway if you enter 0.0.0.0 for the ip_address 
argument. 



set ip ip-ppp [vccn] peer-address ip_address 

Specifies the IP address of the peer on the other end of the PPP 
link. If you specify an IP address other than 0.0.0.0, your Cay- 
man Gateway will not negotiate the remote peer's IP address. If 
the remote peer does not accept the address in the 
ip_address argument as its IP address (typically because it 
has been configured with another IP address), the link will not 
come up. 

The default value for the ip_address argument is 0.0.0.0, 
which indicates that the virtual PPP interface will accept the IP 
address returned by the remote peer. If you enter 0.0.0.0, the 
peer system must be configured to supply this address. 



set ip ip-ppp [vccn] restriction { admin-disabled | none } 

Specifies restrictions on the types of traffic the Cayman Gate- 
way accepts over the PPP virtual circuit. The admin-dis- 
abled argument means that access to the device, via telnet, 
web and SNMP is disabled. The none argument means that all 
traffic is accepted. 



set ip ip-ppp [vccn] addr-mapping { on | off } 

Specifies whether you want the Cayman Gateway to use net- 
work address translation (NAT) when communicating with 
remote routers. Network address translation lets you conceal 
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details of your network from remote routers. By default, 
address mapping is turned on. 



set ip ip-ppp [vccn] rip-send 

{ off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway unit should use Routing 
Information Protocol (RIP) broadcasts to advertise its routing 
tables to routers on the other side of the PPP link. An extension 
of the original Routing Information Protocol (RIP-1), RIP Version 
2 (RIP-2) expands the amount of useful information in the pack- 
ets. While RIP-1 and RIP-2 share the same basic algorithms, 
RIP-2 supports several new features. For example, inclusion of 
subnet masks in RIP packets and implementation of multicast- 
ing instead of broadcasting. This last feature reduces the load 
on hosts which do not support routing protocols. RIP-2 with 
MD5 authentication is an extension of RIP-2 that increases 
security by requiring an authentication key when routes are 
advertised. 

This command is only available when address mapping for the 
specified virtual circuit is turned "off". 

If you specify v2-MD5, you must also specify a rip-send-key. 
Keys are ASCII strings with a maximum of 31 characters, and 
must match the other router(s) keys for proper operation of 
MD5 support. 
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set ip ip-ppp [vccn] rip-receive 

{ off | v1 | v2 | v1-compat | v2-MD5 } 

Specifies whether the Cayman Gateway should use Routing 
Information Protocol (RIP) broadcasts to update its routing 
tables with information received from other routers on the other 
side of the PPP link. 

If you specify v2-MD5, you must also specify a rip-receive- 

key. Keys are ASCII strings with a maximum of 31 characters, 
and must match the other router(s) keys for proper operation of 
MD5 support. 

Static ARP Settings. Your Cayman Gateway maintains a 
dynamic Address Resolution Protocol (ARP) table to map IP 
addresses to Ethernet (MAC) addresses. Your Cayman Gateway 
populates this ARP table dynamically, by retrieving IP address/ 
MAC address pairs only when it needs them. Optionally, you can 
define static ARP entries to map IP addresses to their corre- 
sponding Ethernet MAC addresses. Unlike dynamic ARP table 
entries, static ARP table entries do not time out. 

You can configure as many as 16 static ARP table entries for a 
Cayman Gateway. Use the following commands to add static 
ARP entries to the Cayman Gateway static ARP table: 



set ip static-arp ip-address ip_address 

Specifies the IP address for the static ARP entry. Enter an IP 
address in the ±p_address argument in dotted decimal for- 
mat. The ip_address argument cannot be 0.0.0.0. 
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set ip static-arp ip-address ip_address hardware-address 
MAC_address 

Specifies the Ethernet hardware address for the static ARP 
entry. Enter an Ethernet hardware address in the 
MAC_address argument in nn.nn.nn.nn.nn.nn (hexadecimal) 
format. 

IGMP Forwarding 

set ip igmp-forwarding [ off | on ] 

Turns IP IGMP forwarding off or on. The default is off. 

IPsec Passth rough 

set ip ipsec-passthrough [ off | on ] 

Turns IPsec client passthrough off or on. The default is on. 
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A static route identifies a manually configured pathway to a 
remote network. Unlike dynamic routes, which are acquired and 
confirmed periodically from other routers, static routes do not 
time out. Consequently, static routes are useful when working 
with PPP, since an intermittent PPP link may make maintenance 
of dynamic routes problematic. 

You can configure as many as 32 static IP routes for a Cayman 
Gateway. Use the following commands to maintain static routes 
to the Cayman Gateway routing table: 



set ip static-routes destination-network net_address 

Specifies the network address for the static route. Enter a net- 
work address in the net_address argument in dotted deci- 
mal format. The net_address argument cannot be 0.0.0.0. 
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set ip static-routes destination-network net_address 
netmask netmask 

Specifies the subnet mask for the IP network at the other end 
of the static route. Enter the netmask argument in dotted deci- 
mal format. The subnet mask associated with the destination 
network must represent the same network class (A, B, or C) or 
a lower class (such as a class C subnet mask for class B net- 
work number) to be valid. 



set ip static-routes destination-network net_address 
interface { ip-address | ppp-vccn } 

Specifies the interface through which the static route is acces- 
sible. 



set ip static-routes destination-network net_address 
gateway-address gate_address 

Specifies the IP address of the Gateway for the static route. The 
default Gateway must be located on a network connected to the 
Cayman Gateway configured interface. 

set ip static-routes destination-network net_address 
metric integer 

Specifies the metric (hop count) for the static route. The default 
metric is 1. Enter a number from 1 to 15 for the integer argu- 
ment to indicate the number of routers (actual or best guess) a 
packet must traverse to reach the remote network. 

You can enter a metric of 1 to indicate either: 

• The remote network is one router away and the static route 
is the best way to reach it; 
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• The remote network is more than one router away but the 
static route should not be replaced by a dynamic route, even 
if the dynamic route is more efficient. 

set ip static-routes destination-network net_address 
rip-advertise [ SplitHorizon | Always | Never ] 

Specifies whether the gateway should use Routing Information 
Protocol (RIP) broadcasts to advertise to other routers on your 
network and which mode to use. The default is SplitHorizon. 



delete ip static-routes destination-network net_address 

Deletes a static route. Deleting a static route removes all infor- 
mation associated with that route. 

IPMaps Settings 



set ip-maps name <name> internal-ip <ip address> 

Specifies the name and static ip address of the LAN device to 
be mapped. 



set ip-maps name <name> external-ip <ip address> 

Specifies the name and static ip address of the WAN device to 
be mapped. 

Up to 8 mapped static IP addresses are supported. 



222 



CONFIG Commands 



Network Address Translation (NAT) Default 
Settings 

NAT default settings let you specify whether you want your Cay- 
man Gateway to forward NAT traffic to a default server when it 
doesn't know what else to do with it. The NAT default host func- 
tion is useful in situations where you cannot create a specific 
NAT pinhole for a traffic stream because you cannot anticipate 
what port number an application might use. For example, some 
network games select arbitrary port numbers when a connec- 
tion is being opened. By identifying your computer (or another 
host on your network) as a NAT default server, you can specify 
that NAT traffic that would otherwise be discarded by the Cay- 
man Gateway should be directed to a specific hosts. 



set nat-default mode { off | default-server | 

ip-passthrough } 

Specifies whether you want your Cayman Gateway to forward 
unsolicited traffic from the WAN to a default server or an IP 
passthrough host when it doesn't know what else to do with it. 
See "Default Server" on page 96 for more information. 



set nat-default { address ip_address \ 

host-hardware-address MAC_address } 

Specifies the IP address of the NAT default server or the hard- 
ware (MAC) address of the IP passthrough host. 
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Network Address Translation (NAT) Pinhole 
Settings 

NAT pinholes let you pass specific types of network traffic 
through the NAT interfaces on the Cayman Gateway. NAT pin- 
holes allow you to route selected types of network traffic, such 
as FTP requests or HTTP (Web) connections, to a specific host 
behind the Cayman Gateway transparently. 

To set up NAT pinholes, you identify the type(s) of traffic you 
want to redirect by port number, and you specify the internal 
host to which each specified type of traffic should be directed. 

The following list identifies protocol type and port number for 
common TCP/IP protocols: 

. FTP (TCP 21) 

• telnet (TCP 23) 

• SMTP (TCP 25), 

• TFTP (UDP 69) 

• SNMP (TCP 161, UDP 161) 

set pinhole name name 

Specifies the identifier for the entry in the router's pinhole 
table. You can name pinhole table entries sequentially (1, 2, 3), 
by port number (21, 80, 23), by protocol, or by some other 
naming scheme. 



set pinhole name name protocol-select { tcp | udp } 

Specifies the type of protocol being redirected. 



set pinhole name name external-port-start [ 0 - 49151 ] 

Specifies the first port number in the range being translated. 
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set pinhole name name external-port-end [ 0 - 49151 ] 

Specifies the last port number in the range being translated. 



set pinhole name name internal-ip internal-ip 

Specifies the IP address of the internal host to which traffic of 
the specified type should be transferred. 



set pinhole name name internal-port internal-port 

Specifies the port number your Cayman Gateway should use 
when forwarding traffic of the specified type. Under most cir- 
cumstances, you would use the same number for the external 
and internal port. 



PPPoE /PPPoA Settings 

You can use the following commands to configure basic set- 
tings, port authentication settings, and peer authentication set- 
tings for PPP interfaces on your Cayman Gateway. 



Configuring Basic PPP Settings. 



NOTE: 

For the DSL platform you must identify the virtual 
PPP interface [vccn], a number from 1 to 8. 



set PPP module [vccn] option { on | off } 

Enables or disables PPP on the Cayman Gateway. 
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set PPP module [vccn] auto-connect { on | off } 



Supports manual mode required for some vendors. The default 
on is not normally changed. If auto-connect is disabled (off), 
you must manually start/stop a ppp connection. 



set PPP module [vccn] mru integer 

Specifies the Maximum Receive Unit (MRU) for the PPP inter- 
face. The integer argument can be any number between 128 
and 1492 for PPPoE; 1500 otherwise. 



set PPP module [vccn] magic-number { on | off } 

Enables or disables LCP magic number negotiation. 



set PPP module [vccn] protocol-compression { on | off } 

Specifies whether you want the Cayman Gateway to compress 
the PPP Protocol field when it transmits datagrams over the PPP 
link. 



set PPP module [vccn] Icp-echo-requests { on | off } 

Specifies whether you want your Cayman Gateway to send LCP 
echo requests. You should turn off LCP echoing if you do not 
want the Cayman Gateway to drop a PPP link to a nonrespon- 
sive peer. 



set PPP module [vccn] failures-max integer 

Specifies the maximum number of Configure-NAK messages the 
PPP module can send without having sent a Configure-ACK mes- 
sage. The integer argument can be any number between 1 and 
20. 
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set PPP module [vccn] configure-max integer 

Specifies the maximum number of unacknowledged configura- 
tion requests that your Cayman Gateway will send. The integer 
argument can be any number between 1 and 10. 



set PPP module [vccn] terminate-max integer 

Specifies the maximum number of unacknowledged termination 
requests that your Cayman Gateway will send before terminat- 
ing the PPP link. The integer argument can be any number 
between 1 and 10. 



set PPP module [vccn] restart-timer integer 

Specifies the number of seconds the Cayman Gateway should 
wait before retransmitting a configuration or termination 
request. The integer argument can be any number between 1 
and 30. 



set PPP module [vccn] connection-type 
{ instant-on | always-on } 

Specifies whether a PPP connection is maintained by the Cay- 
man Gateway when it is unused for extended periods. If you 
specify always-on, the Cayman Gateway never shuts down 
the PPP link. If you specify instant-on, the Cayman Gateway 
shuts down the PPP link after the number of seconds specified 
in the time-out setting (below) if no traffic is moving over the 
circuit. 



set PPP module [vccn] time-out integer 

If you specified a connection type of instant-on, specifies 
the number of seconds, in the range 30 - 3600, with a default 
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value of 300, the Cayman Gateway should wait for communica- 
tion activity before terminating the PPP link. 

Configuring Port Authentication. You can use the following 
command to specify how your Cayman Gateway should respond 
when it receives an authentication request from a remote peer. 

The settings for port authentication on the local Cayman Gate- 
way must match the authentication that is expected by the 
remote peer. For example, if the remote peer requires CHAP 
authentication and has a name and CHAP secret for the Cay- 
man Gateway, you must enable CHAP and specify the same 
name and secret on the Cayman Gateway before the link can be 
established. 



set PPP module [vccn] port-authentication 
option [ off | on | pap-only | chap-only ] 
username: 
password: 

Specifying on turns both PAP and CHAP on, or you can select 
PAP or CHAP. Specify the username and password when port 
authentication is turned on (both CHAP and PAP, CHAP or PAP.) 

The username argument is 1- 255 alphanumeric characters. 
The information you enter must match the username configured 
in the PPP peer's authentication database. 

The password argument is 1-32 alphanumeric characters. The 
information you enter must match the password used by the 
PPP peer. 

Authentication must be enabled before you can enter other 
information. 
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Ethernet Port Settings 



set ethernet ethernet A mode { auto 1 100M-full | 
100M-half | 10M-full | 10M-half } 

Allows mode setting for the ethernet port. Only supported on 
units without a LAN switch, or dual ethernet products (338x). In 
the dual ethernet case, "ethernet B" would be specified for the 
WAN port. The default is auto. 

Command Line Interface Preference Settings 

You can set command line interface preferences to customize 
your environment. 



set preference verbose { on | off } 
set define verbose { on | off } 

Specifies whether you want command help and prompting infor- 
mation displayed. By default, the command line interface ver- 
bose preference is turned off. If you turn it on, the command 
line interface displays help for a node when you navigate to that 
node. 



set preference more lines 
set define more lines 

Specifies how many lines of information you want the command 
line interface to display at one time. The lines argument speci- 
fies the number of lines you want to see at one time. The range 
is 1-65535. By default, the command line interface shows you 
22 lines of text before displaying the prompt: More ...[y|n] ?. 
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If you enter 100 for the lines argument, the command line 
interface displays information as an uninterrupted stream 
(which is useful for capturing information to a text file). 

Port Renumbering Settings 

If you use NAT pinholes to forward HTTP or telnet traffic through 
your Cayman Gateway to an internal host, you must change the 
port numbers the Cayman Gateway uses for its own configura- 
tion traffic. For example, if you set up a NAT pinhole to forward 
network traffic on Port 80 (HTTP) to another host, you would 
have to tell the Cayman Gateway to listen for configuration con- 
nection requests on a port number other than 80, such as 
6080. 

After you have changed the port numbers the Cayman Gateway 
uses for its configuration traffic, you must use those port num- 
bers instead of the standard numbers when configuring the Cay- 
man Gateway. For example, if you move the router's Web 
service to port "6080" on a box with a system (DNS) name of 
"superbox", you would enter the URL http://superbox:6080 in 
a Web browser to open the Cayman Gateway graphical user 
interface. Similarly, you would have to configure your telnet 
application to use the appropriate port when opening a configu- 
ration connection to your Cayman Gateway. 



set servers web-http [ 1 - 65534 ] 

Specifies the port number for HTTP (web) communication with 
the Cayman Gateway. Because port numbers in the range 0- 
1024 are used by other protocols, you should use numbers in 
the range 2000-65534 when assigning new port numbers to 
the Cayman Gateway web configuration interface. A setting of 0 
(zero) will turn the server off. 
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set servers telnet-tcp [ 1 - 65534 ] 

Specifies the port number for telnet (CLI) communication with 
the Cayman Gateway. Because port numbers in the range 0- 
1024 are used by other protocols, you should use numbers in 
the range 2000-65534 when assigning new port numbers to 
the Cayman Gateway telnet configuration interface. A setting of 
0 (zero) will turn the server off. 



NOTE: 

You cannot specify a port setting of 0 (zero) for both 
the web and telnet ports at the same time. This 
would prevent you from accessing to the Gateway. 



Security Settings 

Security settings include the Firewall and IPSec parameters. All 
of the security functionality is keyed. 

Firewall Settings (for BreakWater Firewall) 

set security firewall option [ ClearSailing | SilentRunning | 
LANd Locked ] 

The 3 settings for BreakWater are discussed in detail on page 
page 119. 



231 



IPsec Settings 



set security ipsec option [ off | on ] 

Turns the IPsec option off or on. Default is off. See "IPSec" on 
page 124 for more information. 

SafeHarbour IPSec Settings 

SafeHarbour VPN is a tunnel between the local network and 
another geographically dispersed network that is intercon- 
nected over the Internet. This VPN tunnel provides a secure, 
cost-effective alternative to dedicated leased lines. Internet 
Protocol Security (IPsec) is a series of services including 
encryption, authentication, integrity, and replay protection. 
Internet Key Exchange (IKE) is the key management protocol of 
IPsec that establishes keys for encryption and decryption. 
Because this VPN software implementation is built to these 
standards, the other side of the tunnel can be either another 
Cayman unit or another IPsec/IKE based security product. For 
VPN you can choose to have traffic authenticated, encrypted, or 
both. 

When connecting the Cayman unit in a telecommuting scenario, 
the corporate VPN settings will dictate the settings to be used 
in the Cayman unit. If a parameter has not been specified from 
the other end of the tunnel, choose the default unless you fully 
understand the ramifications of your parameter choice. 



set security ipsec option (off) {on | off} 

Turns on the SafeHarbour IPsec tunnel capability. 
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set security ipsec tunnels name "123" 

The name of the tunnel can be quoted to allow special charac- 
ters and embedded spaces. 



set security ipsec tunnels name "123" tun-enable 
(on) {on | off} 

This enables this particular tunnel. Currently, one tunnel is sup- 
ported. 



set security ipsec tunnels name "123" dest-ext-address 
ip-address 

Specifies the IP address of the destination gateway. 



set security ipsec tunnels name "123" dest-int-network 
ip-address 

Specifies the IP address of the destination computer or internal 
network. 



set security ipsec tunnels name "123" dest-int-netmask 
netmask 

Specifies the subnet mask of the destination computer or inter- 
nal network. The subnet mask specifies which bits of the 32-bit 
IP address represents network information. The default subnet 
mask for most networks is 255.255.255.0 (class C subnet 
mask). 
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set security ipsec tunnels name "123" encrypt-protocol 
(ESP) { ESP | none } 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" auth-protocol 
(ESP) {AH | ESP | none} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" IKE-mode 
pre-shared-key-type (hex) {ascii | hex} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" IKE-mode 
pre-shared-key ("") {hex string} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 

Example: 0x1234 



set security ipsec tunnels name "123" IKE-mode 
neg-method (main) {main | aggressive} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 

Note: Aggressive Mode is a little faster, but it does not provide 
identity protection for negotiations nodes. 
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set security ipsec tunnels name "123" IKE-mode 
DH-group(1){1 | 2 | 5} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" IKEmode 
isakmp-SA-encrypt (DES) { DES | 3DES } 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" isakmp-SA-hash 
(MD5) {MD5 | SHA1} 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 



set security ipsec tunnels name "123" PFS-enable 
{ off | on } 

See page 124 for details about SafeHarbour IPsec tunnel capa- 
bility. 
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Internet Key Exchange (IKE) Settings 

The following four IPsec parameters configure the rekeying 
event. 



set security ipsec tunnels name "123" IKE-mode 
ipsec-soft-m bytes (1000) {1-1000000} 



set security ipsec tunnels name "123" IKE-mode 
ipsec-soft-seconds (82800) {60-1000000} 



set security ipsec tunnels name "123" IKE-mode 
ipsec-hard-mbytes (1200) {1-1000000} 



set security ipsec tunnels name "123" IKE-mode 
ipsec-hard-seconds (86400) {60-1000000} 

• The soft parameters designate when the system negotiates 
a new key. For example, after 82800 seconds (23 hours) or 
1 Gbyte has been transferred (whichever comes first) the key 
will be renegotiated. 

• The hard parameters indicate that the renegotiation must be 
complete or the tunnel will be disabled. For example, 86400 
seconds (24 hours) means that the renegotiation must be 
complete within one day. 

Both ends of the tunnel set parameters, and typically they will 
be the same. If they are not the same, the rekey event will hap- 
pen when the longest time period expires or when the largest 
amount of data has been sent. 
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Stateful Inspection 

Stateful inspection options are accessed by the security state- 
insp tag. 



set security state-insp [ ip-ppp | dsl ] vccn option [ off | on ] 
set security state-insp ethernet [ A | B ] option [ off | on ] 

Sets the stateful inspection option off or on on the specified 
interface. This option is disabled by default. Stateful inspection 
prevents unsolicited inbound access when NAT is disabled. 



set security state-insp [ ip-ppp | dsl ] vccn 

default-mapping [ off | on ] 
set security state-insp ethernet [ A | B ] 

default-mapping [ off | on ] 

Sets stateful inspection default mapping to router option off or 
on on the specified interface. 



set security state-insp [ ip-ppp | dsl ] vccn tcp-seq-diff 
[ 0 - 65535 ] 

set security state-insp ethernet [ A | B ] tcp-seq-diff 
[ 0 - 65535 ] 

Sets the acceptable TCP sequence difference on the specified 
interface. The TCP sequence number difference maximum 
allowed value is 65535. If the value of tcp-seq-diff is 0, it 
means that this check is disabled. 
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set security state-insp [ ip-ppp | dsl ] vccn 

deny-f rag merits [ off | on ] 
set security state-insp ethernet [ A | B ] 

deny-fragments [ off | on ] 

Sets whether fragmented packets are allowed to be received or 
not on the specified interface. 



set security state-insp tcp-timeout [ 30 - 65535 ] 

Sets the stateful inspection TCP timeout interval, in seconds. 



set security state-insp udp-timeout [ 30 - 65535 ] 

Sets the stateful inspection UDP timeout interval, in seconds. 



set security state-insp xposed-addr exposed-address# "n" 

Allows you to add an entry to the specified list, or, if the list 
does not exist, creates the list for the stateful inspection fea- 
ture. 

Example: 

set security state-insp xposed-addr exposed- 
address* (?) : 32 

32 has been added to the xposed-addr list. 

Sets the exposed list address number. 
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set security state-insp xposed-addr 

exposed-address# "n" start-ip ip_address 

Sets the exposed list range starting IP address, in dotted quad 
format. 



set security state-insp xposed-addr 

exposed-address# "n" end-ip ip_address 

Sets the exposed list range ending IP address, in dotted quad 
format. 

32 exposed addresses can be created. The range for exposed 
address numbers are from 1 through 32. 



set security state-insp xposed-addr 

exposed-address# protocol [ tcp | udp | both | any ] 

Sets the protocol for the stateful inspection feature for the 
exposed address list. Accepted values for protocol are tcp, 
udp, both, or any. 

If protocol is not any, you can set port ranges: 



set security state-insp xposed-addr 

exposed-address# "n" start-port [ 1 - 65535 ] 

set security state-insp xposed-addr 

exposed-address# "n" end-port [ 1 - 65535 ] 
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SNMP Settings 



The Simple Network Management Protocol (SNMP) lets a net- 
work administrator monitor problems on a network by retrieving 
settings on remote network devices. The network administrator 
typically runs an SNMP management station program on a local 
host to obtain information from an SNMP agent such as the 
Cayman Gateway. 



set snmp community read name 

Adds the specified name to the list of communities associated 
with the Cayman Gateway. By default, the Cayman Gateway is 
associated with the public community. 



set snmp community write name 

Adds the specified name to the list of communities associated 
with the Cayman Gateway. 



set snmp community trap name 

Adds the specified name to the list of communities associated 
with the Cayman Gateway. 



set snmp trap ip-traps ip-address 

Identifies the destination for SNMP trap messages. The ip- 
address argument is the IP address of the host acting as an 
SNMP console. 



set snmp sysgroup contact contact_info 

Identifies the system contact, such as the name, phone num- 
ber, beeper number, or email address of the person responsi- 
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ble for the Cayman Gateway. You can enter up to 255 
characters for the contact_±nfo argument. You must put the 
contact_info argument in double-quotes if it contains 
embedded spaces. 



set snmp sysgroup location locationjnfo 

Identifies the location, such as the building, floor, or room num- 
ber, of the Cayman Gateway. You can enter up to 255 charac- 
ters for the locat±on_±nfo argument. You must put the 
locat±on_±nfo argument in double-quotes if it contains 
embedded spaces. 

System Settings 

You can configure system settings to assign a name to your 
Cayman Gateway and to specify what types of messages you 
want the diagnostic log to record. 



set system name name 

Specifies the name of your Cayman Gateway. Each Cayman 
Gateway is assigned a name as part of its factory initialization. 
The default name for a Cayman Gateway consists of the word 
"Cayman-XX" and the serial number of the device; for example, 
Cayman-2E810700. A system name can be 1-63 characters 
long. Once you have assigned a name to your Cayman Gateway, 
you can enter that name in the Address text field of your browser 
to open a connection to your Cayman Gateway. 



NOTE: 

Some broadband cable-oriented Service Providers 
use the System Name as an important identification 
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and support parameter. If your Gateway is part of 
this type of network, do NOT alter the System Name 
unless specifically instructed by your Service Pro- 
vider. 



set system diagnostic-level 

{ off | low | medium | high | alerts | failures } 

Specifies the types of log messages you want the Cayman 
Gateway to record. All messages with a level equal to or greater 
than the level you specify are recorded. For example, if you 
specify set system diagnostic-level medium, the diagnostic log 
will retain medium-level informational messages, alerts, and 
failure messages. Specifying off turns off logging. 

Use the following guidelines: 

• low - Low-level informational messages or greater; includes 
trivial status messages. 

• medium - Medium-level informational messages or greater; 
includes status messages that can help monitor network 
traffic. 

• high - High-level informational messages or greater; 
includes status messages that may be significant but do not 
constitute errors. The default. 

• alerts - Warnings or greater; includes recoverable error 
conditions and useful operator information. 

• failures - Failures; includes messages describing error 
conditions that may not be recoverable. 

set system password { admin | user } 

Specifies the administrator or user password for a Cayman 
Gateway. When you enter the set system password com- 
mand, you are prompted to enter the old password (if any) and 
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new password. You are prompted to repeat the new password 
to verify that you entered it correctly the first time. To prevent 
anyone from observing the password you enter, characters in 
the old and new passwords are not displayed as you type them. 
For security, you cannot use the "step" method to set the sys- 
tem password. 

A password can be as many as eight characters. Passwords are 
case-sensitive. 

Passwords go into effect immediately. You do not have to 
restart the Cayman Gateway for the password to take effect. 
Assigning an administrator or user password to a Cayman Gate- 
way does not affect communications through the device. 



set system heartbeat { on | off } 

protocol [ udp | tcp ] 

port-client [ 1 - 65535 ] 

ip-server ip_address 

port-server [ 1 - 65535 ] 

url-server (" server_name") 

interval (00:00:00:20) 

contact-email {"string@domain_name") 

location ("string"): 

The heartbeat setting is used in conjunction with the configura- 
tion server to broadcast contact and location information about 
your Gateway. You can specify the protocol, port, IP-, port-, and 
URL-server. The interval setting specifies the broadcast 
update frequency. The contact-email setting is a quote- 
enclosed text string giving an email address for the Gateway's 
administrator. The location setting is a text string allowing 
you to specify your geographical or other location, such as "Bil- 
lerica, MA." 
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set system ntp 

option [ off | on ]: 
server-address (204.152.184.72) 
alt-server-address (""): 
time-zone [ -12 - 12 ] 
update-period (60) [ 1 - 65535 ]: 

Specifies the NTP server address, time zone, and how often the 
Gateway should check the time from the NTP server. NTP time- 
zone of 0 is GMT time; options are -12 through 12 (+/- 1 hour 
increments from GMT time). The last setting is for specifying 
how often, in minutes, the Gateway should update the clock. 

Syslog 



set system syslog option [ off | on ] 

Enables or disables system syslog feature. If syslog option is 
on, the following commands are available: 



set system syslog host-nameip [ ip_address \ hostname ] 

Specifies the syslog server's address either in dotted decimal 
format or as a DNS name up to 64 characters. 



set system syslog log-facility [ localO ... local7 ] 

Sets the UNIX syslog Facility. Acceptable values are localO 
through local7. 



set system syslog log-violations [ off | on ] 

Specifies whether violations are logged or ignored. 
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set system syslog log-accepted [ off | on ] 

Specifies whether acceptances are logged or ignored, 
set system syslog log-attempts [ off | on ] 

Specifies whether connection attempts are logged or ignored. 

Default syslog installation procedure 

1. Access the router via telnet to the product from the private 
LAN. DHCP server is enabled on the LAN by default. 

2. The product's statef ul inspection feature needs to be enabled 
in order to prevent TCP, UDP and ICMP packets destined to 
the router or the private hosts. 

This can be done by entering the CONFIG interface. 

• Type conf ig 

• Type the command to enable stateful inspection 
set security state-insp eth B option on 

• Type the command to enable the router to drop fragmented 
packets 

set security state-insp eth B deny- fragments on 

3. Enabling syslog: 

• Type conf ig 

• Type the command to enable syslog 

set system syslog option on 

• Set the IP Address of the syslog host 
set system host-nameip <ip-addr> 
(example: set system host-nameip 10.3.1.1) 

• Enable/change the options you require 

set system syslog log-facility locall 
set system syslog log-violations on 
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set system syslog log-accepted on 
set system syslog log-attempts on 

4. Set NTP parameters 

• Type conf ig 

• Set the time-zone - Default is 0 or GMT 
set system ntp time-zone <zone> 

(example: set system ntp time-zone -8) 

• Set NTP server-address if necessary (default is 
204.152.184.72) 

set system ntp server-address <ip-addr> 

(example: 

set system server-address 204.152.184.73) 

• Set alternate server address 

set system ntp alt-server-address <ip-addr> 

5. Type the command to save the configuration 

• Type save 

• Exit the configuration interface by typing 
exit 

• Restart the router by typing 
restart 

The router will reboot with the new configuration in effect. 
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Wireless Settings (supported models) 



set wireless option ( on | off ) 

Administratively enables or disables the wireless interface. 



set wireless essid { network_name } 

Specifies the wireless network id for the Gateway. A unique 
essid is generated for each Gateway. You must set your wire- 
less clients to connect to this exact id, which can be changed 
to any 32-character string. 



set wireless default-channel { 1...14 } 

Specifies the wireless 2.4GHz sub channel on which the wire- 
less Gateway will operate. For US operation, this is limited to 
channels 1-11. Other countries vary; for example, Japan is 
channel 14 only. The default channel in the US is 6. Channel 
selection can have a significant impact on performance, 
depending on other wireless activity in proximity to this AP. 
Channel selection is not necessary at the clients; clients will 
scan the available channels and look for APs using the same 
essid as the client. 



set wireless closed-system { on | off } 

When this setting is enabled, a client must know the essid in 
order to connect or even see the wireless access point. When 
disabled, a client may scan for available wireless access points 
and will see this one. Enable this setting for greater security. 
The default is on. 
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set wireless wep option { off | on } 

WEP is Wired Equivalent Privacy, a method of encrypting data 
between the wireless Gateway and its clients. It is strongly rec- 
ommended to turn this on as it is the primary way to protect 
your network and data from intruders. Note that 40bit is the 
same as 64bit and will work with either type of wireless client. 
The default is off. 

A single key is selected (see default-key) for encryption of out- 
bound/transmitted packets. The WEP-enabled client must have 
the identical key, of the same length, in the identical slot (1..4) 
as the wireless Gateway, in order to successfully receive and 
decrypt the packet. Similarly, the client also has a 'default' key 
that it uses to encrypt its transmissions. In order for the wire- 
less Gateway to receive the client's data, it must likewise have 
the identical key, of the same length, in the same slot. For sim- 
plicity, a wireless Gateway and its clients need only enter, 
share, and use the first key. 



set wireless wep default-key id { 1...4 } 

Specifies which WEP encryption key (of 4) the wireless Gateway 
will use to transmit data. The client must have an identical 
matching key, in the same numeric slot, in order to successfully 
decode. Note that a client allows you to choose which of its 
keys it will use to transmit. Therefore, you must have an identi- 
cal key in the same numeric slot on the Gateway. 

For simplicity, it is easiest to have both the Gateway and the cli- 
ent transmit with the same key. The default is 1 . 
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set wireless wep encryption-key 1 -length 

{40/64bit, 128bit, 256bit} 
set wireless wep encryption-key2-length 

{40/64bit, 128bit, 256bit} 
set wireless wep encryption-key3-length 

{40/64bit, 128bit, 256bit} 
set wireless wep encryption-key4-length 

{40/64bit, 128bit, 256bit} 

Selects the length of each encryption key. 40bit encryption is 
equivalent to 64bit encryption. The longer the key, the stronger 
the encryption and the more difficult it is to break the encryp- 
tion. 



set wireless wep encryption-keyl { hexadecimal digits } 
set wireless wep encryption-key2 { hexadecimal digits } 
set wireless wep encryption-key3 { hexadecimal digits } 
set wireless wep encryption-key4 { hexadecimal digits } 

The encryption keys. Enter keys using hexadecimal digits. For 
40/64bit encryption, you need 10 digits; 26 digits for 128bit, 
and 58 digits for 256bit WEP. Valid hexadecimal characters are 
0..9, a..f. 

Example 40bit key: 02468ACE02. 

Example 128bit key: 0123456789ABCDEF0123456789. 

Example 256bit key: 

592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C. 

You must set at least one of these keys, indicated by the 
default-keyid. 
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Wireless MAC Address Authorization Settings 



set wireless mac-auth option { on | off } 

Enabling this feature limits the MAC addresses that are allowed 
to access the LAN as well as the WAN to specified MAC (hard- 
ware) addresses. 



set wireless mac-auth wrlss-MAC-list mac-address 
MAC-address_string 

Enters a new MAC address into the MAC address authorization 
table. The format for an Ethernet MAC address is six hexadeci- 
mal values between 00 and FF inclusive separated by colons or 
dashes (e.g., 00:00:C5:70:00:04). 



set wireless mac-auth wrlss-MAC-list mac-address 
"MAC-address_string" allow-access { on | off } 

Designates whether the MAC address is enabled or not for wire- 
less network access. Disabled MAC addresses cannot be used 
for access until enabled. 

Wireless User Authentication Settings (keyed feature) 
set wireless user-auth option { on | off } 

Enabling this feature will limit access through the wireless LAN 
to the WAN to specified users who must log in using the user- 
name accounts provided under user-authentication. 



set wireless user-auth user-auth-list username 
username_string 

Enters a new user name into the user authentication table. 
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set wireless user-auth user-auth-list username 
"username" user-password password_string 

Enters the password for a username. 

set wireless user-auth user-auth-list username 
"username" allow-access { on | off } 

Designates whether the username is enabled or not for login. 
Disabled usernames cannot be used for access until enabled. 

set radius radius-name " server_name_string" 

Specifies the default RADIUS server name or IP address, 
set radius radius-secret " shared_secref 

Specifies the RADIUS secret key used by this server. The 
shared secret should have the same characteristics as a nor- 
mal password. 

set radius alt-radius-name "server_name_string" 

Specifies an alternate RADIUS server name or IP address to be 
used if the primary server is unreachable. 

set radius alt-radius-secret " shared_secret' 

Specifies the secret key used by the alternate RADIUS server, 
set radius radius-port port_number 

Specifies the port on which the RADIUS server is listening. The 
default value is 1812. 
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chapter 7 Glossary 



10Base-T. IEEE 802.3 specification for Ethernet that uses 
unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor 
plugs at each end. Runs at 10 Mbps. 

100Base-T. IEEE 802.3 specification for Ethernet that uses 
unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor 
plugs at each end. Runs at 100 Mbps. 

A 

ACK. Acknowledgment. Message sent from one network device 
to another to indicate that some event has occurred. See NAK. 

access rate. Transmission speed, in bits per second, of the cir- 
cuit between the end user and the network. 
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adapter. Board installed in a computer system to provide net- 
work communication capability to and from that computer sys- 
tem. 

address mask. See subnet mask. 

ADSL. Asymmetric Digital Subscriber Line. Modems attached 
to twisted pair copper wiring that transmit 1.5-9 Mbps down- 
stream (to the subscriber) and 16 -640 kbps upstream, 
depending on line distance. (Downstream rates are usually 
lower that 1.5Mbps in practice.) 

AH. The Authentication Header provides data origin authentica- 
tion, connectionless integrity, and anti-replay protection ser- 
vices. It protects all data in a datagram from tampering, 
including the fields in the header that do not change in transit. 
Does not provide confidentiality. 

ANSI. American National Standards Institute. 

ASCII. American Standard Code for Information Interchange 
(pronounced ASK-ee). Code in which numbers from 0 to 255 
represent individual characters, such as letters, numbers, and 
punctuation marks; used in text representation and communi- 
cation protocols. 

asynchronous communication. Network system that allows 
data to be sent at irregular intervals by preceding each octet 
with a start bit and following it with a stop bit. Compare syn- 
chronous communication. 

Auth Protocol. Authentication Protocol for IP packet header. 
The three parameter values are None, Encapsulating Security 
Payload (ESP) and Authentication Header (AH). 
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backbone. The segment of the network used as the primary 
path for transporting traffic between network segments. 

baud rate. Unit of signaling speed equal to the number of num- 
ber of times per second a signal in a communications channel 
varies between states. Baud is synonymous with bits per sec- 
ond (bps) if each signal represents one bit. 

binary. Numbering system that uses only zeros and ones. 

bps. Bits per second. A measure of data transmission speed. 

BRI. Basic Rate Interface. ISDN standard for provision of low- 
speed ISDN services (two B channels (64 kbps each) and one 
D channel (16 kbps)) over a single wire pair. 

bridge. Device that passes packets between two network seg- 
ments according to the packets' destination address. 

broadcast. Message sent to all nodes on a network. 

broadcast address. Special IP address reserved for simulta- 
neous broadcast to all network nodes. 

buffer. Storage area used to hold data until it can be for- 
warded. 

C 

carrier. Signal suitable for transmission of information. 

CCITT. Comite Consultatif International Telegraphique et 
Telephonique or Consultative Committee for International Tele- 
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graph and Telephone. An international organization responsible 
for developing telecommunication standards. 

CD. Carrier Detect. 

CHAP. Challenge-Handshake Authentication Protocol. Security 
protocol in PPP that prevents unauthorized access to network 
services. See RFC 1334 for PAP specifications Compare PAP. 

client. Network node that requests services from a server. 

CPE. Customer Premises Equipment. Terminating equipment 
such as terminals, telephones and modems that connects a 
customer site to the telephone company network. 

CO. Central Office. Typically a local telephone company facility 
responsible for connecting all lines in an area. 

compression. Operation performed on a data set that reduces 
its size to improve storage or transmission rate. 

crossover cable. Cable that lets you connect a port on one 
Ethernet hub to a port on another Ethernet hub. You can order 
an Ethernet crossover cable from Netopia, if needed. 

CSU/DSU. Channel Service Unit/Data Service Unit. Device 
responsible for connecting a digital circuit, such as a Tl link, 
with a terminal or data communications device. 

D 

data bits. Number of bits used to make up a character. 

datagram. Logical grouping of information sent as a network- 
layer unit. Compare frame, packet. 
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DCE. Digital Communication Equipment. Device that connects 
the communication circuit to the network end node (DTE). A 
modem and a CSU/DSU are examples of a DCE. 

dedicated line. Communication circuit that is used exclusively 
to connect two network devices. Compare dial on demand. 

DES. Data Encryption Standard is a 56-bit encryption algo- 
rithm developed by the U.S. National Bureau of Standards (now 
the National Institute of Standards and Technology). 

3DES. Triple DES, with a 168 bit encryption key, is the most 
accepted variant of DES. 

DH Group. Diffie-Hellman is a public key algorithm used 
between two systems to determine and deliver secret keys 
used for encryption. Groups 1, 2 and 5 are supported. Also, 
see Diffie-Hellman listing. 

DHCP. Dynamic Host Configuration Protocol. A network configu- 
ration protocol that lets a router or other device assign IP 
addresses and supply other network configuration information 
to computers on your network. 

dial on demand. Communication circuit opened over standard 
telephone lines when a network connection is needed. 

Diffie-Hellman. A group of key-agreement algorithms that let 
two computers compute a key independently without exchang- 
ing the actual key. It can generate an unbiased secret key over 
an insecure medium. 

domain name. Name identifying an organization on the Inter- 
net. Domain names consists of sets of characters separated by 
periods (dots). The last set of characters identifies the type of 
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organization (.GOV, .COM, .EDU) or geographical location (.US, 
.SE). 

domain name server. Network computer that matches host 
names to IP addresses in response to Domain Name System 
(DNS) requests. 

Domain Name System (DNS). Standard method of identifying 
computers by name rather than by numeric IP address. 

DSL. Digital Subscriber Line. Modems on either end of a single 
twisted pair wire that delivers ISDN Basic Rate Access. 

DTE. Data Terminal Equipment. Network node that passes 
information to a DCE (modem) for transmission. A computer or 
router communicating through a modem is an example of a DTE 
device. 

DTR. Data Terminal Ready. Circuit activated to indicate to a 
modem (or other DCE) that the computer (or other DTE) is ready 
to send and receive data. 

E 

echo interval. Frequency with which the router sends out echo 
requests. 

Enable. This toggle button is used to enable/disable the con- 
figured tunnel. 

encapsulation. Technique used to enclose information format- 
ted for one protocol, such as AppleTalk, within a packet format- 
ted for a different protocol, such as TCP/IP. 

Encrypt Protocol. Encryption protocol for the tunnel session. 
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Parameter values supported include NONE or ESP. 

encryption. The application of a specific algorithm to a data 
set so that anyone without the encryption key cannot under- 
stand the information. 

ESP. Encapsulation Security Payload (ESP) header provides 
confidentiality, data origin authentication, connectionless integ- 
rity, anti-replay protection, and limited traffic flow confidentiality. 
It encrypts the contents of the datagram as specified by the 
Security Association. The ESP transformations encrypt and 
decrypt portions of datagrams, wrapping or unwrapping the dat- 
agram within another IP datagram. Optionally, ESP transforma- 
tions may perform data integrity validation and compute an 
Integrity Check Value for the datagram being sent. The com- 
plete IP datagram is enclosed within the ESP payload. 

Ethernet crossover cable. See crossover cable. 

FCS. Frame Check Sequence. Data included in frames for error 
control. 

flow control. Technique using hardware circuits or control char- 
acters to regulate the transmission of data between a computer 
(or other DTE) and a modem (or other DCE). Typically, the 
modem has buffers to hold data; if the buffers approach capac- 
ity, the modem signals the computer to stop while it catches up 
on processing the data in the buffer. See CTS, RTS, xon/xoff. 

fragmentation. Process of breaking a packet into smaller units 
so that they can be sent over a network medium that cannot 
transmit the complete packet as a unit. 
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frame. Logical grouping of information sent as a link-layer unit. 
Compare datagram, packet. 

FTP. File Transfer Protocol. Application protocol that lets one IP 
node transfer files to and from another node. 

FTP server. Host on network from which clients can transfer 
files. 

H 

Hard MBytes. Setting the Hard MBytes parameter forces the 
renegotiation of the IPSec Security Associations (SAs) at the 
configured Hard MByte value. 

The value can be configured between 1 and 1,000,000 MB and 
refers to data traffic passed. 

Hard Seconds. Setting the Hard Seconds parameter forces 
the renegotiation of the IPSec Security Associations (SAs) at 
the configured Hard Seconds value. The value can be config- 
ured between 60 and 1,000,000 seconds. 

A tunnel will start the process of renegotiation at the soft 
threshold and renegotiation must happen by the hard limit or 
traffic over the tunnel is terminated. 

hardware handshake. Method of flow control using two con- 
trol lines, usually Request to Send (RTS) and Clear to Send 
(CTS). 

header. The portion of a packet, preceding the actual data, 
containing source and destination addresses and error-check- 
ing fields. 
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HMAC. Hash-based Message Authentication Code 

hop. A unit for measuring the number of routers a packet has 
passed through when traveling from one network to another. 

hop count. Distance, measured in the number of routers to be 
traversed, from a local router to a remote network. See metric. 

hub. Another name for a repeater. The hub is a critical network 
element that connects everything to one centralized point. A 
hub is simply a box with multiple ports for network connections. 
Each device on the network is attached to the hub via an Ether- 
net cable. 

1 

IKE. Internet Key Exchange protocol provides automated key 
management and is a preferred alternative to manual key man- 
agement as it provides better security. Manual key manage- 
ment is practical in a small, static environment of two or three 
sites. Exchanging the key is done through manual means. 
Because IKE provides automated key exchange, it is good for 
larger, more dynamic environments. 

INSPECTION. The best option for Internet communications 
security is to have an SMLI firewall constantly inspecting the 
flow of traffic: determining direction, limiting or eliminating 
inbound access, and verifying down to the packet level that the 
network traffic is only what the customer chooses. The Cayman 
Gateway works like a network super traffic cop, inspecting and 
filtering out undesired traffic based on your security policy and 
resulting configuration. 

interface. A connection between two devices or networks. 
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internet address. IP address. A 32-bit address used to route 
packets on a TCP/IP network. In dotted decimal notation, each 
eight bits of the 32-bit number are presented as a decimal num- 
ber, with the four octets separated by periods. 

IPCP. Internet Protocol Control Protocol. A network control pro- 
tocol in PPP specifying how IP communications will be config- 
ured and operated over a PPP link. 

IPSEC. A protocol suite defined by the Internet Engineering 
Task Force to protect IP traffic at packet level. It can be used for 
protecting the data transmitted by any service or application 
that is based on IP, but is commonly used for VPNs. 

ISAKMP. Internet Security Association and Key Management 
Protocol is a framework for creating connection specific param- 
eters. It is a protocol for establishing, negotiating, modifying, 
and deleting SAs and provides a framework for authentication 
and key exchange. ISAKMP is a part of the IKE protocol. 

K 

Key Management . The Key Management algorithm manages 
the exchange of security keys in the IPSec protocol architec- 
ture. SafeHarbour supports the standard Internet Key 
Exchange (IKE) 

LCP. Link Control Protocol. Protocol responsible for negotiating 
connection configuration parameters, authenticating peers on 
the link, determining whether a link is functioning properly, and 
terminating the link. Documented in RFC 1331. 
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LQM Link Quality Monitoring. Optional facility that lets PPP 
make policy decisions based on the observed quality of the link 
between peers. Documented in RFC 1333. 

loopback test. Diagnostic procedure in which data is sent from 
a devices's output channel and directed back to its input chan- 
nel so that what was sent can be compared to what was 
received. 

M 

magic number. Random number generated by a router and 
included in packets it sends to other routers. If the router 
receives a packet with the same magic number it is using, the 
router sends and receives packets with new random numbers 
to determine if it is talking to itself. 

MD5. A 128-bit, message-digest, authentication algorithm used 
to create digital signatures. It computes a secure, irreversible, 
cryptographically strong hash value for a document. Less 
secure than variant SHA-1. 

metric. Distance, measured in the number of routers a packet 
must traverse, that a packet must travel to go from a router to a 
remote network. A route with a low metric is considered more 
efficient, and therefore preferable, to a route with a high metric. 
See hop count. 

modem. Modulator/demodulator. Device used to convert a dig- 
ital signal to an analog signal for transmission over standard 
telephone lines. A modem at the other end of the connection 
converts the analog signal back to a digital signal. 

MRU. Maximum Receive Unit. The maximum packet size, in 
bytes, that a network interface will accept. 
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MTU. Maximum Transmission Unit. The maximum packet size, 
in bytes, that can be sent over a network interface. 

MULTI-LAYER. The Open System Interconnection (OSI) model 
divides network traffic into seven distinct levels, from the Physi- 
cal (hardware) layer to the Application (software) layer. Those in 
between are the Presentation, Session, Transport, Network, 
and Data Link layers. Simple first and second generation fire- 
wall technologies inspect between 1 and 3 layers of the 7 layer 
model, while our SMLI engine inspects layers 2 through 7. 

N 

NAK. Negative acknowledgment. See ACK. 

Name. The Name parameter refers to the name of the config- 
ured tunnel. This is mainly used as an identifier for the adminis- 
trator. The Name parameter is an ASCII and is limited to 31 
characters. The tunnel name is the only IPSec parameter that 
does not need to match the peer gateway. 

NCR Network Control Protocol. 

Negotiation Method. This parameter refers to the method 
used during the Phase I key exchange, or IKE process. SafeHar- 
bour supports Main or Aggressive Mode. Main mode requires 3 
two-way message exchanges while Aggressive mode only 
requires 3 total message exchanges. 

null modem. Cable or connection device used to connect two 
computing devices directly rather than over a network. 
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packet. Logical grouping of information that includes a header 
and data. Compare frame, datagram. 

PAP. Password Authentication Protocol. Security protocol within 
the PPP protocol suite that prevents unauthorized access to 
network services. See RFC 1334 for PAP specifications. Com- 
pare CHAP. 

parity. Method of checking the integrity of each character 
received over a communication channel. 

Peer External IP Address. The Peer External IP Address is the 
public, or mutable IP address of the remote gateway or VPN 
server you are establishing the tunnel with. 

Peer Internal IP Network. The Peer Internal IP Network is the 
private, or Local Area Network (LAN) address of the remote 
gateway or VPN Server you are communicating with. 

Peer Internal IP Netmask. The Peer Internal IP Netmask is the 
subnet mask of the Peer Internal IP Network. 

PFS Enable. Enable Perfect Forward Secrecy. PFS forces a DH 
negotiation during Phase II of IKE-IPSec SA exchange. You can 
disable this or select a DH group 1, 2, or 5. PFS is a security 
principle that ensures that any single key being compromised 
will permit access to only data protected by that single key. In 
PFS, the key used to protect transmission of data must not be 
used to derive any additional keys. If the key was derived from 
some other keying material, that material must not be used to 
derive any more keys. 
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PING. Packet INternet Groper. Utility program that uses an 
ICMP echo message and its reply to verify that one network 
node can reach another. Often used to verify that two hosts can 
communicate over a network. 

PPP. Point-to-Point Protocol. Provides a method for transmitting 
datagrams over serial router-to-router or host-to-network con- 
nections using synchronous or asynchronous circuits. 

Pre-Shared Key. The Pre-Shared Key is a parameter used for 
authenticating each side. The value can be an ASCII or Hex and 
a maximum of 64 characters. 

Pre-Shared Key Type. The Pre-Shared Key Type classifies the 
Pre-Shared Key. SafeHarbour supports ASCII or HEX types 

protocol. Formal set of rules and conventions that specify how 
information can be exchanged over a network. 

PSTN. Public Switched Telephone Network. 

R 

repeater. Device that regenerates and propagates electrical 
signals between two network segments. Also known as a hub. 

RFC. Request for Comment. Set of documents that specify the 
conventions and standards for TCP/IP networking. 

RIP. Routing Information Protocol. Protocol responsible for dis- 
tributing information about available routes and networks from 
one router to another. 

RJ-45. Eight-pin connector used for lOBaseT (twisted pair 
Ethernet) networks. 
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route. Path through a network from one node to another. A 
large internetwork can have several alternate routes from a 
source to a destination. 

routing table. Table stored in a router or other networking 
device that records available routes and distances for remote 
network destinations. 

S 

SA Encrypt Type. SA Encryption Type refers to the symmetric 
encryption type. This encryption algorithm will be used to 
encrypt each data packet. SA Encryption Type values supported 
include DES and 3DES. 

SA Hash Type. SA Hash Type refers to the Authentication 
Hash algorithm used during SA negotiation. Values supported 
include MD5SHA1. N/A will display if NONE is chose for Auth 
Protocol. 

Security Association. From the IPSEC point of view, an SA is 
a data structure that describes which transformation is to be 
applied to a datagram and how. The SA specifies: 

• The authentication algorithm for AH and ESP 

• The encryption algorithm for ESP 

• The encryption and authentication keys 

• Lifetime of encryption keys 

• The lifetime of the SA 

• Replay prevention sequence number and the replay bit table 

An arbitrary 32-bit number called a Security Parameters Index 
(SPI), as well as the destination host's address and the IPSEC 
protocol identifier, identify each SA. An SPI is assigned to an SA 
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when the SA is negotiated. The SA can be referred to by using 
an SPI in AH and ESP transformations. SA is unidirectional. SAs 
are commonly setup as bundles, because typically two SAs are 
required for communications. SA management is always done 
on bundles (setup, delete, relay). 

serial communication. Method of data transmission in which 
data bits are transmitted sequentially over a communication 
channel 

SHA-1. An implementation of the U.S. Government Secure 
Hash Algorithm; a 160-bit authentication algorithm. 

Soft MBytes. Setting the Soft MBytes parameter forces the 
renegotiation of the IPSec Security Associations (SAs) at the 
configured Soft MByte value. The value can be configured 
between 1 and 1,000,000 MB and refers to data traffic passed. 
If this value is not achieved, the Hard MBytes parameter is 
enforced. 

Soft Seconds. Setting the Soft Seconds parameter forces the 
renegotiation of the IPSec Security Associations (SAs) at the 
configured Soft Seconds value. The value can be configured 
between 60 and 1,000,000 seconds. 

SPI . The Security Parameter Index is an identifier for the 
encryption and authentication algorithm and key. The SPI indi- 
cates to the remote firewall the algorithm and key being used to 
encrypt and authenticate a packet. It should be a unique num- 
ber greater than 255. 

STATEFUL. The Cayman Gateway monitors and maintains the 
state of any network transaction. In terms of network request- 
and-reply, state consists of the source IP address, destination 
IP address, communication ports, and data sequence. The Cay- 
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man Gateway processes the stream of a network conversation, 
rather than just individual packets. It verifies that packets are 
sent from and received by the proper IP addresses along the 
proper communication ports in the correct order and that no 
imposter packets interrupt the packet flow. Packet filtering mon- 
itors only the ports involved, while the Cayman Gateway ana- 
lyzes the continuous conversation stream, preventing session 
hijacking and denial of service attacks. 

static route. Route entered manually in a routing table. 

subnet mask. A 32-bit address mask that identifies which bits 
of an IP address represent network address information and 
which bits represent node identifier information. 

synchronous communication. Method of data communica- 
tion requiring the transmission of timing signals to keep PPP 
peers synchronized in sending and receiving blocks of data. 

telnet. IP protocol that lets a user on one host establish and 
use a virtual terminal connection to a remote host. 

twisted pair. Cable consisting of two copper strands twisted 
around each other. The twisting provides protection against 
electromagnetic interference. 

U 

UTP. Unshielded twisted pair cable. 
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VJ. Van Jacobson. Abbreviation for a compression standard 
documented in RFC 1144. 

W- — 

WAN. Wide Area Network. Private network facilities, usually 
offered by public telephone companies but increasingly avail- 
able from alternative access providers (sometimes called Com- 
petitive Access Providers, or CAPs), that link business network 
nodes. 

WWW. World Wide Web. 



Description 



chapter 8 Technical 

Specifications 
and Safety 
Information 



Description 

Dimensions: 

Smart Modems: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.25" (w) x 5.25" 
(d) x 1.375" (h) 

Wireless Models: 19.5 cm (w) x 17.0 cm (d) x 4.0 cm (h); 7.6" (w) x 6.75" 
(d) x 1.5" (h) 

3342/3352: 8.5 cm (w) x 4.5 cm (d) x 2 cm (h); 3.375" (w) x 1.75" (d) x 
.875" (h) 
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Communications interfaces: The Netopia 3300 Series Gateways 
have an RJ-11 jack for DSL line connections or an RJ-45 jack for cable/DSL 
modem connections and 1 or 4-port 10/100Base-T Ethernet switch for your 
LAN connections. Some models have a USB port that can be used to 
connect to your PC; in some cases, the USB port also serves as the power 
source. Some models contain an 802.11b wireless LAN transmitter. 

Power requirements 

■ 12 VDC input 

■ 1.0 amps 

■ USB-powered models only: For Use with Listed I.T.E. Only 

Environment 

Operating temperature: o° to +40° c 

Storage temperature: o° to +70° c 

Relative storage humidity: 20 to 80% noncondensing 

Software and protocols 

Software media: Software preloaded on internal flash memory; field 
upgrades done via download to internal flash memory via TFTP or web 
upload, (does not apply to 3342/3352) 

Routing: TCP/IP Internet Protocol Suite, RIP 

WAN support: PPPoE, DHCP, static IP address 

Security: PAP, CHAP, Ul password security, IPsec 

Management/configuration methods: http (Web server), Telnet 
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Description 



Diagnostics: Ping, event logging, routing table displays, statistics 
counters, web-based management 
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Agency approvals 



North America 

Safety Approvals: 

■ United States - UL 60950, Third Edition 

■ Canada - CSA: CAN/CSA-C22.2 No. 60950-00 
EMC: 

■ United States - FCC Part 15 Class B 

■ Canada - ICES-003 
Telecom: 

■ United States - FCC Part 68 

■ Canada - CS-03 

International 

Safety Approvals: 

■ Low Voltage (European directive) 73/23 

■ EN60950 (Europe) 
EMI Compatibility: 

■ 89/336/EEC (European directive) 

■ EN55022:1994 CISPR22 Class B 

■ EN300 386 VI. 2.1 (non-wireless products) 

■ EN 301-489 (wireless products) 

Regulatory notices 

European Community. This Netopia product conforms to the 
European Community CE Mark standard for the design and manufacturing of 
information technology equipment. This standard covers a broad area of 
product design, including RF emissions and immunity from electrical 
disturbances. 
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Manufacturer's Declaration of Conformance 



The Netopia 3300 Series complies with the following EU directives: 

■ Low Voltage, 73/23/EEC 

■ EMC Compatibility, 89/336/EEC, conforming to EN 55 022 



Manufacturer's Declaration of 
Conformance 



Warnings: 

This is a Class B product. In a domestic environment this prod- 
uct may cause radio interference, in which case the user may 
be required to take adequate measures. Adequate measures 
include increasing the physical distance between this product 
and other electrical devices. 

Changes or modifications to this unit not expressly approved by 
the party responsible for compliance could void the user's 
authority to operate the equipment. 



United States. This equipment has been tested and found to comply 
with the limits for a Class B digital device, pursuant to Part 15 of the FCC 
Rules. These limits are designed to provide reasonable protection against 
harmful interference in a residential installation. This equipment generates, 
uses, and can radiate radio frequency energy and, if not installed and used 
in accordance with the instructions, may cause harmful interference to radio 
communications. However, there is no guarantee that interference will not 
occur in a particular installation. If this equipment does cause harmful 
interference to radio or television reception, which can be determined by 
turning the equipment off and on, the user is encouraged to try to correct 
the interference by one or more of the following measures: 

■ Reorient or relocate the receiving antenna. 

■ Increase the separation between the equipment and receiver. 

■ Connect the equipment into an outlet on a circuit different from that to 
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which the receiver is connected. 
■ Consult the dealer or an experienced radio TV technician for help. 

Service requirements. In the event of equipment malfunction, all 
repairs should be performed by our Company or an authorized agent. Under 
FCC rules, no customer is authorized to repair this equipment. This 
restriction applies regardless of whether the equipment is in or our of 
warranty. It is the responsibility of users requiring service to report the need 
for service to our Company or to one of our authorized agents. Service can 
be obtained at Netopia, Inc., 6001 Shellmound Street, Emeryville, 
California, 94608. Telephone: 510-597-5400. 



Important 

This product was tested for FCC compliance under conditions 
that included the use of shielded cables and connectors 
between system components. Changes or modifications to this 
product not authorized by the manufacturer could void your 
authority to operate the equipment. 



Canada. This Class B digital apparatus meets all requirements of the 
Canadian Interference -Causing Equipment Regulations. 

Cet appareil numerique de la classe B respecte toutes les exigences du 
Reglement sur le materiel brouilleur du Canada. 



Declaration for Canadian users 

NOTICE: The Canadian Industry Canada label identifies certified 
equipment. This certification means that the equipment meets certain 
telecommunications network protective, operation, and safety 
requirements. The Department does not guarantee the equipment will 
operate to the user's satisfaction. 
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Manufacturer's Declaration of Conformance 



Before installing this equipment, users should ensure that it is permissible 
to be connected to the facilities of the local telecommunications 
company. The equipment must also be installed using an acceptable 
method of connection. In some cases, the company's inside wiring 
associated with a single line individual service may be extended by means 
of a certified connector assembly (telephone extension cord). The 
customer should be aware that compliance with the above conditions may 
not prevent degradation of service in some situations. 

Repairs to the certified equipment should be made by an authorized 
Canadian maintenance facility designated by the supplier. Any repairs or 
alterations made by the user to this equipment, or equipment 
malfunctions, may give the telecommunications company cause to 
request the user to disconnect the equipment. 

Users should ensure for their own protection that the electrical ground 
connections of the power utility, telephone lines, and internal metallic 
water pipe system, if present, are connected together. This precaution 
may be particularly important in rural areas. 

Caution 

Users should not attempt to make such connections themselves, but should 
contact the appropriate electric inspection authority, or electrician, as 
appropriate. 

The Ringer Equivalence Number (REN) assigned to each terminal device 
provides an indication of the maximum number of terminals allowed to be 
connected to a telephone interface. The termination on an interface may 
consist of any combination of devices subject only to the requirement that 
the sum of the Ringer Equivalence Numbers of all the devices does not 
exceed 5. 
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Important Safety Instructions 



Australian Safety Information 

The following safety information is provided in conformance with Australian 
safety requirements: 

Caution 

DO NOT USE BEFORE READING THE INSTRUCTIONS: Do not connect the 
Ethernet ports to a carrier or carriage service provider's telecommunica- 
tions network or facility unless: a) you have the written consent of the 
network or facility manager, or b) the connection is in accordance with a 
connection permit or connection rules. 

Connection of the Ethernet ports may cause a hazard or damage to the tele- 
communication network or facility, or persons, with consequential liability for 
substantial compensation. 

Caution 

■ The direct plug-in power supply serves as the main power disconnect; 
locate the direct plug-in power supply near the product for easy access. 

■ For use only with CSA Certified Class 2 power supply, rated 12VDC, 
1.0A. 

Telecommunication installation cautions 

■ Never install telephone wiring during a lightning storm. 

■ Never install telephone jacks in wet locations unless the jack is 
specifically designed for wet locations. 

■ Never touch uninsulated telephone wires or terminals unless the 
telephone line has been disconnected at the network interface. 

■ Use caution when installing or modifying telephone lines. 

■ Avoid using a telephone (other than a cordless type) during an electrical 
storm. There may be a remote risk of electric shock from lightning. 

■ Do not use the telephone to report a gas leak in the vicinity of the leak. 
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FCC Part 68 Information 



FCC Part 68 Information 



FCC Requirements 

1. The Federal Communications Commission (FCC) has established Rules 
which permit this device to be directly connected to the telephone 
network. Standardized jacks are used for these connections. This 
equipment should not be used on party lines or coin phones. 

2. If this device is malfunctioning, it may also be causing harm to the 
telephone network; this device should be disconnected until the source 
of the problem can be determined and until repair has been made. If 
this is not done, the telephone company may temporarily disconnect 
service. 

3. The telephone company may make changes in its technical operations 
and procedures; if such changes affect the compatibility or use of this 
device, the telephone company is required to give adequate notice of 
the changes. You will be advised of your right to file a complaint with the 
FCC. 

4. If the telephone company requests information on what equipment is 
connected to their lines, inform them of: 

a. The telephone number to which this unit is connected. 

b. The ringer equivalence number. [O.XB] 

c. The USOC jack required. [RJ11C] 

d. The FCC Registration Number. [XXXUSA-XXXXX-XX-E] 

Items (b) and (d) are indicated on the label. The Ringer Equivalence 
Number (REN) is used to determine how many devices can be 
connected to your telephone line. In most areas, the sum of the REN's 
of all devices on any one line should not exceed five (5.0). If too many 
devices are attached, they may not ring properly. 



FCC Statements 

a) This equipment complies with Part 68 of the FCC rules and the 
requirements adopted by the ACTA. On the bottom of this equipment is a 
label that contains, among other information, a product identifier in the 
format US:AAAEQ##TXXXX. If requested, this number must be provided to 
the telephone company. 
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b) List all applicable certification jack Universal Service Order Codes 
("USOC") for the equipment: RJ11. 

c) A plug and jack used to connect this equipment to the premises wiring 
and telephone network must comply with the applicable FCC Part 68 rules 
and requirements adopted by the ACTA. A compliant telephone cord and 
modular plug is provided with this product. It is designed to be connected to 
a compatible modular jack that is also compliant. See installation 
instructions for details. 

d) The REN is used to determine the number of devices that may be 
connected to a telephone line. Excessive RENs on a telephone line may 
result in the devices not ringing in response to an incoming call. In most but 
not all areas, the sum of RENs should not exceed five (5.0). To be certain of 
the number of devices that may be connected to a line, as determined by 
the total RENs, contact the local telephone company. For products approved 
after July 23, 2002, the REN for this product is part of the product identifier 
that has the format US:AAAEQ##TXXXX. The digits represented by ## are 
the REN without a decimal point (e.g., 03 is a REN of 0.3). For earlier 
products, the REN is separately shown on the label. 

e) If this equipment, the Netopia 3300 Series router, causes harm to the 
telephone network, the telephone company will notify you in advance that 
temporary discontinuance of service may be required. But if advance notice 
isn't practical, the telephone company will notify the customer as soon as 
possible. Also, you will be advised of your right to file a complaint with the 
FCC if you believe it is necessary. 

f) The telephone company may make changes in its facilities, equipment, 
operations or procedures that could affect the operation of the equipment. If 
this happens the telephone company will provide advance notice in order for 
you to make necessary modifications to maintain uninterrupted service. 

g) If trouble is experienced with this equipment, the Netopia 3300 Series 
router, for repair or warranty information, please contact: 

Netopia Technical Support 

510-597-5400 

www.netopia.com. 

If the equipment is causing harm to the telephone network, the telephone 
company may request that you disconnect the equipment until the problem 
is resolved. 

h) This equipment not intended to be repaired by the end user. In case of 
any problems, please refer to the troubleshooting section of the Product 
User Manual before calling Netopia Technical Support. 
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Electrical Safety Advisory 



i) Connection to party line service is subject to state tariffs. Contact the 
state public utility commission, public service commission or corporation 
commission for information. 

j) If your home has specially wired alarm equipment connected to the 
telephone line, ensure the installation of this Netopia 3300 Series router 
does not disable your alarm equipment. If you have questions about what 
will disable alarm equipment, consult your telephone company or qualified 
installer. 

RF Exposure Statement: 

NOTE: Installation of the wireless models must maintain at least 20 cm 
between the wireless router and any body part of the user to be in 
compliance with FCC RF exposure guidelines. 



Electrical Safety Advisory 

Telephone companies report that electrical surges, typically lightning 
transients, are very destructive to customer terminal equipment connected 
to AC power sources. This has been identified as a major nationwide 
problem. Therefore it is advised that this equipment be connected to AC 
power through the use of a surge arrestor or similar protection device. 
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